Researchers from Carnegie Mellon University identified this flaw as CVE-2025-12120, affecting Lite XL versions 2.1.8 and earlier. The issue lies in how the editor handles project configuration files.

How the Vulnerability Works

When a user opens a project folder, Lite XL automatically runs the .lite_project.lua file inside that directory — without asking for any confirmation.

This file is designed to store project-specific settings, but it can also contain executable Lua code. Because there’s no verification step before execution, an attacker can embed malicious Lua code inside this file.

If a user opens a malicious project directory, the code executes instantly with the same privileges as the Lite XL application.

Impact and Risk

Attackers can share infected project folders through GitHub, file-sharing services, or other developer platforms. Once opened in Lite XL, the malicious file runs silently, allowing attackers to:

• Steal sensitive data
• Modify or delete files
• Install malware
• Further compromise the system

This makes the vulnerability especially dangerous, as many developers trust files from familiar sources or repositories without closely checking them.

The level of impact depends on the user’s permissions — if Lite XL runs with elevated privileges, the attacker gains the same access.

Affected Versions

How to Stay Safe

• Update Lite XL to the latest version as soon as a patch becomes available.
• Avoid opening untrusted project directories in Lite XL.
• Check the .lite_project.lua file for suspicious code before using projects from unknown or public sources.
• Developers recommend that Lite XL should include a confirmation prompt before running project files or disable automatic execution completely.

This vulnerability highlights the importance of understanding how configuration files work — especially when they can execute code.

The post Lite XL Text Editor Vulnerability Allows Remote Code Execution appeared first on First Hackers News.

The issue was reported by security researcher Matei “Mal” Badanoiu from Deloitte, and F5 has now released patches to fix the problem.

The vulnerability stems from improper input handling in an internal iControl REST endpoint and the TMOS Shell (tmsh), which lets attackers execute bash commands if they have admin access.

Exploiting this flaw lets attackers create or delete files and run system commands through the BIG-IP management port or self IPs. While this affects the control plane, F5 confirmed there’s no impact on the data plane.

Who’s Affected and How Severe Is It?

This flaw affects BIG-IP systems in Appliance mode, including those licensed for it or running on vCMP guest instances. It carries a high severity score—8.7 under CVSS v3.1.

F5 tracked the issue under internal IDs 1778741, 1702565, and 15832011.

Other F5 products are not affected, including:

• BIG-IP Next
• BIG-IQ Centralized Management
• F5 Distributed Cloud
• F5OS
• NGINX

Recommended Mitigation Steps

F5 has released updates to fix the vulnerability in BIG-IP:

• 17.x branch: update to 17.1.2.2
• 16.x branch: update to 16.1.6
• 15.x branch: update to 15.1.10.7

Admins are strongly encouraged to upgrade as soon as possible.

If you can’t update right away, F5 recommends temporary workarounds:

• Limit admin access to trusted users only, since the attack requires authentication.
• Block iControl REST access from self IPs by setting Port Lockdown to “Allow None.”
• Restrict SSH access using similar network rules.
• Use firewalls or packet filters to limit access to the management interface.

F5 provides full guidance in support articles K46122561 and K693540491.

Note: Some of these steps may affect high availability (HA) setups, so review carefully before applying changes.

The post Critical Command Injection Flaw Found in F5 BIG-IP Systems (CVE-2025-31644) appeared first on First Hackers News.

Wazuh SIEM vulnerability

It allows attackers with API access to remotely execute arbitrary Python code, potentially compromising the system. The issue arises from unsafe deserialization of Distributed API (DAPI) parameters used for communication between Wazuh components, according to CVE reports.

The table below shows key details about the CVE-2025-24016 vulnerability and the affected Wazuh products:

The vulnerability is found in the as_wazuh_object function within the framework/wazuh/core/cluster/common.py file. This function deserializes JSON data from the Distributed API. The code snippet before the patch is shown below:

def as_wazuh_object(dct: Dict):
try:
if ‘wazuh_datetime‘ in dct:
return datetime.datetime.fromisoformat(dct[‘wazuh_datetime‘])
elif ‘unhandled_exc‘ in dct:
exc_data = dct[‘unhandled_exc‘]
return eval(exc_data[‘class‘])(*exc_data[‘args‘])
return dct
except (KeyError, AttributeError):
return dct

This code uses the eval function to run arbitrary Python code from the class and args fields, making it highly exploitable.

Impact and Exploitation

An attacker can exploit this vulnerability by sending a malicious JSON payload to the Wazuh server via the API. The payload must include the unhandled_exc key, along with class and args values to specify the code to execute. For example:

When processed by the as_wazuh_object function, the payload executes the command os.system("touch /tmp/pwned"), creating a /tmp/pwned file on the Wazuh server.

{
“unhandled_exc“: {
“class“: “os.system”,
“args“: [“touch /tmp/pwned”]
}
}

Mitigation

The vulnerability was fixed in Wazuh version 4.9.1 by replacing the unsafe eval function with ast.literal_eval, which safely evaluates a string containing a Python literal to prevent arbitrary code execution. Here’s the updated code snippet:

def as_wazuh_object(dct: Dict):
try:
if ‘wazuh_datetime‘ in dct:
return datetime.datetime.fromisoformat(dct[‘wazuh_datetime‘])
elif ‘unhandled_exc‘ in dct:
exc_data = dct[‘unhandled_exc‘]
exc_dict = {exc_data[‘class‘]: exc_data[‘args‘]}
return ast.literal_eval(json.dumps(exc_dict))
return dct
except (KeyError, AttributeError):
return dct

To reduce the risk of CVE-2025-24016, organizations should take the following actions:

• Upgrade to Wazuh version 4.9.1 or later.
• Restrict API access to authorized users and systems.
• Implement strong authentication, such as multi-factor authentication.
• Monitor API traffic for unusual activity.
• Regularly review and update security settings.
• Use network segmentation to limit attack impact.
• A Web Application Firewall (WAF) can help detect and block malicious requests before they reach the Wazuh server.

Exploiting CVE-2025-24016 can lead to severe consequences, including:

• Full control of the Wazuh server, allowing attackers to access sensitive data and change configurations.
• Compromise of the entire Wazuh cluster by taking over the master server.
• Disruption of security monitoring, enabling further undetected attacks.
• Theft of sensitive data, including logs and alerts.
• Using the Wazuh server as a launch point for other network attacks.

Timely patching and strong security measures are essential to prevent such attacks.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Wazuh SIEM vulnerability enables remote code execution appeared first on First Hackers News.

Known as CVE-2025-0912, this bug lets attackers take over sites without logging in by exploiting a deserialization issue in versions 3.19.4 and earlier.

All about the plugin vulnerability

The flaw comes from improper handling of the card_address field in donation forms.

Hackers can inject harmful PHP objects, using a technique called POP (Property-Oriented Programming) to run their own code and take full control of affected sites.

With a critical CVSS score of 9.8, this bug allows attackers to steal donor data, install backdoors, or hijack payments without needing to log in.

Researcher dream hard found the issue while reviewing the plugin’s code, warning that it’s easy to exploit and could lead to defaced sites, stolen funds, or full admin access within minutes.

GiveWP, used by nonprofits, religious groups, and political campaigns, handles millions in donations each year. A compromised site could face:

• Payment fraud through altered gateways
• Donor data leaks (names, emails, billing info)
• SEO poisoning with malicious redirects
• Full site takeover for phishing attacks

Wordfence detected active scans for vulnerable sites starting March 4, with at least three different attack methods seen. The plugin’s wide use by critical organizations makes timely patching essential.

Mitigation and Response

GiveWP released version 3.20.0 on March 4, fixing the flaw. Site admins should:

• Update to version 3.20.0
• Check logs for suspicious POST requests to /wp-json/give/v1/donations
• Revoke and regenerate payment API keys

Wordfence warns older versions should assume compromise and recommends full malware scans and donor account monitoring.

Critics noted the patch came 48 hours after public disclosure, raising concerns about plugin security.

As of March 5, over 7,000 sites are still unpatched, while proof-of-concept exploits are already circulating. Immediate action is crucial to avoid major damage.

The post 10,000+ WordPress sites exposed by donation plugin vulnerability appeared first on First Hackers News.

These issues arise from flaws in libraries like OpenSSL, Node.js, and Java SDKs, as well as misconfigurations in underlying frameworks.

The main security risks include Remote Code Execution (RCE), which lets attackers run malicious code, and unauthorized access to sensitive business data. Denial of Service (DoS) attacks could also disrupt system availability.

IBM Cloud Pak for Business Automation is used across industries like finance, healthcare, and manufacturing to automate workflows and manage sensitive processes. Exploiting these vulnerabilities could lead to data loss, financial damage, and reputational harm.

Affected Versions

The following versions are impacted:

• Version 24.0.0 – IF003: Apply iFix 24.0.0-IF004 or upgrade to version 24.0.1.
• Versions 23.x.x: Upgrade to 24.0.0-IF004 or later for all fixes.
• Version 21.0.3 – IF038: Apply iFix 21.0.3-IF039 or upgrade to version 24.0.x.
• Older Versions (18.x.x – 20.x.x): Upgrade to at least version 21.0.3-IF039 or higher.

IBM’s timely security patches highlight the importance of proactive vulnerability management. Users should apply the recommended fixes or upgrade their software to maintain security and operational stability.

For more details on remediation and technical documentation, visit IBM’s official support page. This bulletin emphasizes the need for organizations to stay updated with security patches and maintain strong cybersecurity practices.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Critical IBM Cloud Pak Vulnerabilities Expose Systems to Remote Code Execution appeared first on First Hackers News.

CVE-2024-6387

The vulnerability is a race condition in OpenSSH’s server daemon (sshd). If a client fails to authenticate within the LoginGraceTime, the system’s signal handler can trigger unsafe function calls.

The PoC exploit, created by GitHub user YassDEV221608, targets 32-bit OpenSSH servers on Linux systems using GNU C Library (glibc). OpenBSD systems are not affected by this flaw.

According to Exploit Finder, the exploit exploits a race condition in sshd’s SIGALRM handler, triggered after failed authentication attempts. This flaw can allow attackers to execute code and gain root access.

Although the exploit requires multiple attempts to succeed, cybersecurity expert Schwartz highlights its severe potential impact. OpenSSH developers have confirmed that only certain versions are affected and recommend applying patches promptly.

For those investigating the exploit, a vulnerable OpenSSH environment can be set up using Docker. A sample Dockerfile is provided for this purpose.

PoC Script Targeting CVE-2024-6387

CVE-2024-6387.py: A PoC Script for Scanning and Exploiting Vulnerable Servers

import argparse

import threading

import socket

import time

def exploit_vulnerability(target_ip, target_port):

# Logic to exploit CVE-2024-6387

# (This is a simplified demonstration)

print(f"Exploiting target: {target_ip}:{target_port}")

# Add actual exploitation code here...
def main():

    parser = argparse.ArgumentParser(description='CVE-2024-6387 PoC Exploit Script')

    parser.add_argument('-T', '--targets', required=True, help='Target IP addresses or domain names')

    parser.add_argument('-p', '--port', default=22, help='Port number to exploit (default: 22)')

    args = parser.parse_args()

    targets = args.targets.split(',')

    threads = []

    for target in targets:

        thread = threading.Thread(target=exploit_vulnerability, args=(target, args.port))

        threads.append(thread)

        thread.start()

    for thread in threads:

        thread.join()

if __name__ == "__main__":

    main()


Admins should update OpenSSH to the latest patched versions to address CVE-2024-6387. Limiting login attempts and improving logging can further reduce risks. Organizations are urged to check for vulnerabilities and apply updates promptly to stay secure. 

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Critical OpenSSH Vulnerability (CVE-2024-6387) Exploit Released appeared first on First Hackers News.

SonicWall advises users to update their SMA 200, 210, 400, 410, and 500v appliances running firmware 10.2.1.13-72sv or earlier. SMA1000 series devices are not affected.

Vulnerability List :

1. CVE-2024-38475: Path Traversal
   This vulnerability leverages Apache HTTP Server’s mod_rewrite module to map URLs to restricted filesystem locations. Attackers can use this flaw to access sensitive files, potentially compromising system security and data integrity.
2. CVE-2024-40763: Heap-Based Buffer Overflow
   A flaw in SMA100 devices’ memory management leads to a heap-based buffer overflow. By exploiting this, attackers can execute malicious code remotely or cause a system crash, disrupting services.
3. CVE-2024-45318: Stack-Based Buffer Overflow
   Found in the SMA100 web management interface, this vulnerability allows attackers to trigger a stack-based buffer overflow. If exploited, it can result in arbitrary code execution, granting full control over the device.
4. CVE-2024-45319: Certificate Authentication Bypass
   This flaw permits attackers to bypass the certificate requirement during authentication, providing unauthorized access to sensitive systems and potentially exposing critical resources.
5. CVE-2024-53702: Insecure Randomness
   The SMA100 devices’ backup mechanism uses a weak pseudo-random number generator (PRNG). Attackers can predict its output, potentially leading to the exposure of sensitive information like encryption keys or backup data.
6. CVE-2024-53703: Stack-Based Buffer Overflow in Apache
   This vulnerability exists in the mod_httprp library used by SMA100 devices running Apache. Exploiting this stack overflow allows attackers to execute arbitrary code remotely, posing a significant threat to the system.

Affected Products :

• Impacted Models: SonicWall SMA 100 series (SMA 200, 210, 400, 410, 500v).
• Vulnerable Firmware: Version 10.2.1.13-72sv and earlier.

Details:

• Action Required: SonicWall recommends updating to the latest firmware immediately.
• Exploitation Status: No active exploitation reported yet, but due to the severity, prompt action is critical.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post SonicWall Flaws Enable Remote Code Execution appeared first on First Hackers News.

All about the Vulnerability – CVE-2024-51503

The vulnerability, identified as CVE-2024-51503, was discovered on November 18, 2024, and has a high severity rating with a CVSS 3.0 score of 8.0.

The security flaw, known as ZDI-CAN-25215, is a command injection vulnerability affecting Windows-based Deep Security Agent versions before 20.0.1-21510 and Deep Security Notifier on DSVA version 20.0.0-8438.

This issue could allow an attacker to escalate privileges and execute arbitrary code on affected machines. The vulnerability is caused by an OS Command Injection weakness (CWE-78).

The vulnerability allows attackers with domain access to inject commands remotely to other machines within the same domain. However, exploiting it requires the attacker to first run low-privileged code on the target system.

Trend Micro has released a fix for this issue. Version 20.0.1-21510 (20 LTS Update 2024-10-16) is now available for Windows platforms.

Users of the Deep Security Notifier on DSVA should update to the DSA 20.0.1 full package or later to fix the Notifier function.

Cybersecurity experts stress the importance of applying patches promptly. While exploiting this vulnerability requires access to the machine, Trend Micro urges customers to update to the latest versions.

Organizations should also review remote access policies for critical systems and ensure perimeter security is up-to-date.

The vulnerability was discovered by Simon Zuckerbraun of Trend Micro’s Zero Day Initiative, highlighting the ongoing efforts to address cybersecurity risks. Experts recommend regular software updates and strong security practices to protect digital assets.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Trend Micro Deep Security Flaw Allows Remote Code Execution appeared first on First Hackers News.

On September 26, 2024, rumors about these flaws circulated on Twitter, and an official announcement confirmed on September 27 revealed four high-severity RCE vulnerabilities in CUPS.

All about the Linux CUPS vulnerabilities

CVE-2024-47117 (CVSS 9.1) is a command injection vulnerability that can allow attackers to execute arbitrary code by improperly handling PPD files. This happens when the software executes the FoomaticRIPCommandLine parameter, which can be manipulated to run malicious code.

This exploitation is possible due to CVE-2024-47176 (CVSS 8.4), which lacks identity verification for Internet Printing Protocol (IPP) senders. CUPS mistakenly trusts all packages from any source, enabling hackers to send a printer info request to a remote server. This could lead to the creation of a fake printer instance under their control, allowing them to gain persistence in the network printing environment and execute arbitrary code.

The IPP verification vulnerability is accompanied by two other flaws, CVE-2024-47175 and CVE-2024-47076 (CVSS 8.6). These allow malicious PPD files to inject harmful code into other parts of the CUPS system, expanding their network presence. The problem arises from improper input sanitization, as the libppd function executes any code in the PPD file input “as is.” Analysts state these vulnerabilities are effective only when combined with one or both of the earlier flaws.

Fixes for Linux CUPS

Along with the disclosure, OpenPrinting released potential mitigation measures for the vulnerabilities. There is no official patch; instead, they suggest stopping a specific CUPS service that contains the bug. This can be done with the following Linux commands:

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed

Disabling this vulnerable service is a fortunate aspect of the situation, as it can effectively block the threat. However, it’s not foolproof; if attackers have already gained access to the environment, they could easily restart the vulnerable service and exploit it for lateral movement.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Linux CUPS has multiple vulnerabilities that allow remote code execution appeared first on First Hackers News.

All about the Vulnerability

CVE-2024-28176: The Node.js jose module has a flaw in JWE decryption that can lead to a denial-of-service attack. Attackers can exploit this vulnerability by sending a specially crafted request, causing excessive CPU or memory usage. CVSS Base Score: 5.3.

CVE-2024-34064: Jinja’s xmlattr filter is vulnerable to cross-site scripting due to accepting keys with non-attribute characters. This flaw can allow remote attackers to inject attributes into web pages, potentially stealing cookie-based authentication credentials. CVSS Base Score: 5.4.

CVE-2024-3651: The idea module can cause a denial of service when a local user provides a specially crafted argument to the idea.encode() function. CVSS Base Score: 6.2.

CVE-2024-25024: IBM QRadar Suite stores user credentials in plain text, which can be accessed by a local user. CVSS Base Score: 6.2.

CVE-2024-37168: The gRPC module for Node.js has a memory allocation flaw that can lead to a denial of service attack if exploited by sending specially crafted messages. CVSS Base Score: 5.3.

CVE-2024-30260: The Node.js undici module mishandles Authorization headers, allowing remote authenticated attackers to access sensitive information. CVSS Base Score: 3.9.

CVE-2024-30261: The Node.js undici module has a security restriction bypass, allowing tampered requests with fetch(). CVSS Base Score: 2.6.

CVE-2024-28799: IBM QRadar Suite Software improperly displays sensitive data during back-end commands, risking information disclosure. CVSS Base Score: 5.1.

CVE-2024-39008: The fast-loops module by robinweser allows remote code execution due to a prototype pollution vulnerability. CVSS Base Score: 9.8.

CVE-2024-29415: The Node.js ip module is vulnerable to server-side request forgery (SSRF), enabling attackers to conduct SSRF attacks. CVSS Base Score: 7.5.

Affected Products and Versions

The following products and versions are affected:

• IBM Cloud Pak for Security: 1.10.0.0 to 1.10.11.0
• QRadar Suite Software: 1.10.12.0 to 1.10.23.0

Upgrade to version 1.10.24.0 or later to resolve these vulnerabilities.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Critical IBM QRadar Flaws Enable Remote Arbitrary Code Execution appeared first on First Hackers News.