Here are the CVE updates for the week of August 11th through the 17th.
🔴 Critical Severity Vulnerabilities
N-able N-Central Command Injection Vulnerability (CISA KEV) | CVE-2025-8876
Description:
Security researchers discovered an Improper Input Validation vulnerability in N-able N-central. As a result, attackers could perform OS Command Injection. This flaw affects N-central versions prior to 2025.3.1. If exploited, a remote attacker could inject and execute arbitrary system commands on the underlying server, potentially leading to full system compromise.
Potential Impacts:
- Remote Code Execution (RCE): Attackers could execute OS commands with the privileges of the affected service.
- System Compromise: Consequently, attackers may fully take over the N-central server and establish persistence mechanisms.
- Data Theft/Manipulation: Attackers could exfiltrate or modify sensitive monitoring and management data.
- Lateral Movement: They could use the compromised environment to pivot into managed client systems.
Mitigation Recommendations:
- Upgrade to Fixed Version: Upgrade to N-central 2025.3.1 or later to fix the vulnerability.
- Restrict Access: Additionally, limit external access to trusted networks.
- Input Validation & Sanitization: Ensure all inputs are validated and sanitized to prevent injection attacks.
- Monitor Logs: Review system and application logs for suspicious command execution attempts.
- Principle of Least Privilege: Run N-central services with minimum required privileges.
N-able N-Central Insecure Deserialization Vulnerability (CISA KEV) | CVE-2025-8875
Description:
Researchers identified a Deserialization of Untrusted Data vulnerability in N-able N-central. This issue affects versions prior to 2025.3.1. Attackers can supply crafted serialized input, which the system then deserializes and executes. Consequently, local attackers could execute arbitrary code within the affected service.
Potential Impacts:
- Local Code Execution: Attackers with local access may execute arbitrary code.
- Privilege Escalation: Furthermore, attackers could escalate system privileges.
- Persistence: They might establish backdoors or manipulate system behavior.
- Data Tampering: Attackers could alter or destroy sensitive monitoring and management data.
Mitigation Recommendations:
- Upgrade to Fixed Version: Upgrade to N-central 2025.3.1 or later.
- Harden Local Access: Restrict server access to trusted administrators.
- Input Validation: Validate and securely handle serialized data.
- Monitor Activity: Enable logging to detect unusual local execution attempts.
- Apply Principle of Least Privilege: Run services with minimal privileges to limit impact.
🟠 High Severity Vulnerabilities
RARLAB WinRAR Path Traversal Vulnerability (CISA KEV) | CVE-2025-8088: A path traversal vulnerability affects the Windows version of WinRAR. Attackers can exploit it by crafting malicious archive files. When users extract these files, they bypass path sanitization, placing files outside the intended directory, potentially into sensitive system or startup folders. Consequently, malicious code may execute automatically during system startup or user action.
Microsoft Office Excel Remote Code Execution Vulnerability (CISA KEV) | CVE-2007-0671: Microsoft Excel 2000, XP, 2003, and 2004 for Mac contain an unspecified vulnerability. Remote, user-assisted attackers could exploit it by opening a maliciously crafted Excel file containing exploit payloads. This action may lead to arbitrary code execution.
Microsoft Internet Explorer Resource Management Errors Vulnerability (CISA KEV) | CVE-2013-3893: A use-after-free vulnerability exists in the SetMouseCapture function within mshtml.dll in Internet Explorer 6 through 11. Remote attackers can exploit it using crafted JavaScript that manipulates memory after it has been freed. As a result, they may execute arbitrary code.
Unauthorized Access in AL Pack WordPress Plugin | CVE-2025-7664: An unauthorized access vulnerability affects the AL Pack plugin for WordPress (up to version 1.0.2). The check_activate_permission() callback fails to verify user authentication, capabilities, or nonce tokens. Attackers can spoof the Origin header to activate premium features without authorization.
Unauthorized Data Exfiltration in Claude Code | CVE-2025-55284: Claude Code versions prior to 1.0.4 contain an unauthorized data exfiltration vulnerability. Because the allowlist of safe commands is too broad, attackers can bypass confirmation prompts. They may read a file and send its contents over the network without user consent. Successfully exploiting this vulnerability requires adding untrusted content into a Claude Code context window.
🟡 Medium Severity Vulnerabilities
Unauthorized Data Access in BetterDocs WordPress Plugin | CVE-2025-7499: BetterDocs – Advanced AI-Driven Documentation for WordPress (up to version 4.1.1) contains a vulnerability. The get_response function does not enforce capability checks, allowing unauthenticated attackers to access sensitive data. Consequently, attackers may retrieve passwords for protected documents and view metadata of private or draft documents, leading to unauthorized disclosure.
Stored Cross-Site Scripting (XSS) in User Profile Builder WordPress Plugin | CVE-2025-8896: A Stored XSS vulnerability exists in User Profile Builder for WordPress (up to version 3.14.3). Insufficient sanitization of the gdpr_communication_preferences[] parameter allows authenticated attackers (Subscriber-level and above) to inject scripts into user profile pages. Consequently, the malicious code executes whenever a page is viewed, enabling persistent exploitation.
Stored Cross-Site Scripting (XSS) in Plane Project Management Software | CVE-2025-55203: Plane (versions prior to 0.28.0) contains a Stored XSS vulnerability. Attackers can inject JavaScript payloads into the description_html field. These payloads are stored in the database and later executed in other users’ browsers, bypassing standard security protections.
Improper Control of Generation of Code (Code Injection) in Apache OFBiz Scrum Plugin | CVE-2025-54466: The Apache OFBiz scrum plugin (versions prior to 24.09.02) contains a Code Injection vulnerability. Improper control of code generation allows attackers, even unauthenticated ones, to execute arbitrary code remotely.