CVE Updates (December 1–7, 2025)

Vuln Recap Editor,

Here are the CVE updates for the week of December 1st through the 7th.

🔴 Critical Severity Vulnerabilities

Meta React Server Components Remote Code Execution Vulnerability (CISA KEV) | CVE-2025-55182

Description:
A critical pre-authentication remote code execution (RCE) vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This flaw affects the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. It arises due to unsafe deserialization of payloads received through HTTP requests to Server Function endpoints. Consequently, attackers can execute arbitrary code without any authentication.

Potential Impacts

  • Remote Code Execution: Attackers execute arbitrary code on the server before authentication occurs.
  • Full Application Takeover: Exploitation grants attackers full control over server-side logic and the environment.
  • Dependency Supply Chain Compromise: Vulnerable components may affect multiple applications relying on React Server Components.
  • Data Theft & Manipulation: Sensitive server-rendered data may be accessed, modified, or exfiltrated.
  • Service Disruption: Malicious payloads can crash or corrupt server-side processes, resulting in downtime.
  • Lateral Movement: Compromised servers might allow attackers to pivot deeper into cloud or internal infrastructure.

Mitigation Recommendations

  • Apply vendor patches immediately by upgrading React Server Components and affected packages to the latest patched versions.
  • Validate and sanitize incoming payloads by adding strict server-side checks for all requests hitting Server Function endpoints.
  • Restrict network exposure by limiting public access to RSC server endpoints; use API gateways, firewalls, or reverse proxies.
  • Enable runtime hardening through sandboxing, container isolation, or read-only file systems to minimize RCE blast radius.
  • Monitor for suspicious activity by watching anomalous Server Function requests or unexpected code execution behaviors.
  • Use least privilege configuration by running Node.js or backend processes with minimal privileges to reduce exploitation damage.
  • Implement WAF rules that block malicious deserialization payloads and related attacks.

WordPress User Verification Plugin Authentication Bypass | CVE-2025-12374

Description:
A critical authentication bypass vulnerability affects the Email Verification, Email OTP, Block Spam Email, Passwordless Login, Hide Login, and Magic Login – User Verification plugin for WordPress (all versions up to 2.0.39). The issue occurs because the plugin fails to verify whether an OTP was actually generated before comparing it to user input in the user_verification_form_wrap_process_otpLogin function. As a result, an unauthenticated attacker can submit an empty OTP value and successfully log in as any user with a verified email address, including administrators.

Potential Impacts

  • Full Account Compromise: Attackers can log in as any user, including administrators, without valid OTPs.
  • Complete Site Takeover: Compromising an admin account grants full control over the WordPress site, plugins, settings, and hosted content.
  • Data Theft & Manipulation: Attackers may access or alter sensitive user data, configuration files, and stored information.
  • Malware Injection: Administrative access enables uploading malicious plugins, injecting backdoors, or modifying themes.
  • Service Disruption: The site could be defaced, content deleted, or functionality broken, causing downtime and reputational damage.
  • Lateral Movement: Stolen admin sessions may allow attackers to pivot into connected hosting environments or other web apps.

Mitigation Recommendations

  • Update the plugin immediately by upgrading to the latest patched version once available.
  • Temporarily disable OTP login if updating is not feasible; configure plugin settings accordingly.
  • Restrict admin access by limiting login URLs, enforcing strong user roles, and removing risky authentication methods.
  • Enable multi-factor authentication (MFA) via a trusted plugin to strengthen login security.
  • Deploy a web application firewall (WAF) to block suspicious login attempts, particularly those with empty OTP fields or rapid submissions.
  • Monitor login logs regularly for unusual login patterns, unexpected admin access, or empty OTP attempts.
  • Harden WordPress by applying least privilege principles, restricting file editing, and keeping core, themes, and plugins updated.

Taiko Alethia Incorrect Transition Verification Pointer Corruption | CVE-2025-66559

Description:
Taiko Alethia, an Ethereum-equivalent permissionless based-rollup, suffers from a vulnerability in versions 2.3.1 and earlier. The flaw lies in the TaikoInbox._verifyBatches function (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627–678), which prematurely advances the local transition ID (tid) to whichever transition matches the current blockHash before verifying whether that batch is valid or ready for verification.

Potential Impacts

  • Chain State Corruption: Incorrect transition IDs can corrupt the verified chain pointer, breaking batch continuity.
  • Consensus Disruption: Verification logic may stall or produce invalid state progression due to unreliable canonical transition determination.
  • Denial of Service: Corrupted pointers may halt batch verification, preventing new batches from finalizing.
  • Economic Manipulation: Attackers might exploit incorrect transition references to affect state commitments or verification logic.
  • Trust and Integrity Breakdown: Verification chain corruption threatens security assumptions, integrity, and Ethereum interoperability.

Mitigation Recommendations

  • Upgrade immediately to the patched version where _verifyBatches validates transitions before updating verifiedTransitionId.
  • Enforce proper transition validation by advancing and writing transition IDs only after full verification and cooldown checks pass.
  • Add defensive assertions that reject unexpected or out-of-range transition indices during verification.
  • Enable rigorous auditing through static and dynamic analysis of batch verification logic to detect pointer manipulation or mismatches.
  • Monitor chain pointer state continuously for anomalies such as unexpected jumps or zeroed transitions.
  • Implement rollback and recovery logic to safely restore rollup state if corruption occurs.

VeeVPN Unquoted Service Path Vulnerability Leading to Remote Code Execution | CVE-2025-66575

Description:
VeeVPN version 1.6.1 has an unquoted service path vulnerability in the VeePNService, allowing remote attackers to execute arbitrary code during system startup or reboot with escalated LocalSystem privileges. By supplying a specially crafted malicious service name, an attacker can inject commands that run with the highest system privileges.

Potential Impacts

  • Remote Code Execution: Attackers run arbitrary code as LocalSystem during startup or reboot.
  • Full System Compromise: Elevated privileges grant attackers complete control over the system.
  • Persistence: Malicious code can persist across reboots, ensuring long-term access.
  • System Disruption: Attackers can disable security software or system processes.
  • Data Theft or Manipulation: Unauthorized access to sensitive data and system configurations becomes possible.

Mitigation Recommendations

  • Apply vendor updates by upgrading to a patched VeeVPN version that addresses the unquoted service path issue.
  • Harden service paths by properly quoting and validating service executable paths.
  • Restrict service management access to limit who can create or modify system services.
  • Monitor system startup to detect unauthorized or suspicious services and executables.
  • Implement the principle of least privilege by restricting privileges of users managing services to reduce exploitation risk.

🟠 High Severity Vulnerabilities

OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability (CISA KEV) | CVE-2021-26828: Allows authenticated remote users to upload and execute arbitrary JSP files via the view_edit.shtm interface, enabling remote code execution on the server.

GitLab Credential Exposure & Privilege Escalation Vulnerability | CVE-2024-9183: Authenticated users under specific conditions may obtain higher-privileged credentials, risking project and admin settings compromise.

Apache HTTP Server SSI Command Injection Vulnerability | CVE-2025-58098: When SSI is enabled with mod_cgid, shell-escaped query strings pass directly into commands, risking injection; fixed in 2.4.66.

DCIM dcTrack Remote Access Traffic Redirection Vulnerability | CVE-2025-66238: Authenticated users can misuse remote access features to redirect network traffic, potentially accessing restricted services or sensitive host data.

🟡 Medium Severity Vulnerabilities

AMTT Hotel Broadband Operation System SQL Injection Vulnerability | CVE-2025-14090: Improper handling of the ID parameter in /manager/card/cardmake_down.php allows remote SQL injection; exploit publicly released, vendor unresponsive.

ketr JEPaaS Improper Authorization Vulnerability | CVE-2025-14088: Flaw in /je/load endpoint enables remote attackers to bypass access controls; public exploit exists.

WatchGuard Mobile VPN with SSL Client Local Privilege Escalation Vulnerability | CVE-2025-1910: Locally authenticated non-admin users may escalate privileges to SYSTEM on Windows versions 12.0–12.11.2.

Post Views: 14
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *