CVE Updates (November 3 – 9, 2025)

Here are the CVE updates for the week of November 3rd through the 9th.

🔴 Critical Severity Vulnerabilities

Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability (CISA KEV) | CVE-2025-48703

Description:
An unauthenticated remote code execution vulnerability exists in CWP (Control Web Panel / CentOS Web Panel) versions before 0.9.8.1205. This issue arises due to shell metacharacters present in the t_total parameter of a filemanager changePerm request. If an attacker knows a valid non-root username on the system, they can craft input that is passed directly to a shell. Consequently, arbitrary commands execute on the host under the vulnerable component’s user context.

Potential Impacts:

• Remote Code Execution: Attackers may execute arbitrary commands on the server.
• Account Compromise: Since abuse requires a known non-root username, that account or the host could be fully compromised.
• Privilege Escalation & Lateral Movement: Executed commands might escalate privileges, harvest credentials, or pivot to other systems.
• Data Theft or Tampering: Files and site data hosted on the server could be read, modified, or deleted.
• Service Disruption: Malicious commands can disrupt web services, hosting environments, or the control panel itself.

Mitigation Recommendations:

• Update Immediately: Upgrade CWP to version 0.9.8.1205 or later where this issue has been fixed.
• Restrict Access: Block or limit access to CWP filemanager endpoints at the network edge (firewall, iptables) to allow only trusted admin IPs.
• WAF / Virtual Patching: Deploy WAF rules to filter or block requests containing shell metacharacters or suspicious changePerm parameters until patching completes.
• Input Validation: Ensure server-side code validates and sanitizes all filemanager parameters; never pass untrusted input directly to shell interpreters.
• Harden Accounts: Avoid exposing system usernames; enforce strong passwords and multi-factor authentication for panel accounts whenever possible.
• Audit & Monitor: Regularly review webserver, panel, and authentication logs for unusual changePerm requests, unknown usernames, or unexpected command executions.
• Isolate & Contain: If exploitation is suspected, isolate affected hosts from the network, collect forensic artifacts (logs, memory, filesystem), and preserve evidence.
• Rotate Credentials & Rebuild If Needed: Rotate credentials for affected accounts and consider rebuilding compromised hosts from known-good images following investigation.
• Principle of Least Privilege: Run panel services with minimal privileges and separate hosting user accounts from system-level accounts.

Arbitrary File Write and Code Execution via Malicious FB2 Assets in calibre | CVE-2025-64486

Description:
Calibre versions 8.13.0 and earlier do not validate filenames when processing binary assets embedded in FB2 (FictionBook) files. An attacker can craft FB2 files containing asset entries whose filenames cause arbitrary files to be written to the host filesystem when the file is opened or converted. Therefore, if a user opens or converts a specially crafted FB2, arbitrary files may be written, which could enable code execution later (e.g., by placing payloads in executable locations).

Potential Impacts:

• Arbitrary File Write: Malicious FB2 content can write files to arbitrary writable locations owned by the user running calibre.
• Arbitrary Code Execution: Payloads written can be executed on the host through startup folders, helper scripts, or user-triggered execution.
• Local Privilege Abuse: If calibre runs with elevated privileges (not recommended), the damage could extend to those privilege levels.
• Data Tampering & Exfiltration: Attackers may overwrite or add files to steal data or sabotage user content.
• Persistence: Injected files could enable persistence if combined with other misconfigurations or user actions.

Mitigation Recommendations:

• Update calibre: Upgrade to version 8.14.0 or later where this vulnerability is addressed.
• Avoid Opening Untrusted FB2 Files: Until patched, do not open or convert FB2 files from untrusted sources.
• Run as Least-Privilege User: Run calibre under a non-privileged user account and avoid elevated execution contexts.
• Sandbox / Isolate Viewing: Open untrusted e-books inside a sandboxed environment or VM to contain possible malicious writes.
• Harden Filesystem Locations: Avoid running calibre with writable system-level directories in its working path and keep user directories backed up.
• Monitor for Suspicious Writes: Watch for unexpected file creations or modifications in user directories after importing/converting FB2 files.
• Restore & Remediate: If exploitation is suspected, remove malicious files, rotate exposed credentials, and restore from known-good backups.

Code Execution Vulnerability in Ruijie Gateway EG and NBR Firmware (EWEB Management System) | CVE-2020-36870

Description:
Several models of Ruijie Gateway EG and NBR, running firmware versions from 11.1(6)B9P1 up to but not including 11.9(4)B12P1, contain a code execution vulnerability within the EWEB management system. This flaw can be exploited through the device’s front-end features, especially when guest authentication, local server authentication, or screen mirroring are enabled.

Potential Impacts:

• Remote Code Execution: Attackers may run arbitrary commands on gateway devices.
• Device Compromise: Full control of affected devices could include intercepting or modifying network traffic.
• Unauthorized Access: Attackers might bypass authentication, gaining unauthorized admin access.
• Network Security Risks: Compromised devices can serve as entry points for lateral movement or network attacks.
• Service Disruption: Attackers might disrupt device operations or network services.

Mitigation Recommendations:

• Firmware Upgrade: Update affected devices to firmware version 11.9(4)B12P1 or later where patched.
• Disable Unused Features: Disable guest authentication, local server authentication, and screen mirroring if not required to reduce attack surface.
• Access Controls: Restrict management interface access to trusted networks or VPNs only.
• Network Segmentation: Isolate gateway devices from untrusted networks to limit exposure.
• Monitor Logs & Alerts: Enable and regularly review device logs for suspicious authentication attempts or command executions.
• Incident Response: If compromise is suspected, isolate affected devices, collect forensic data, and rebuild or replace securely.

Arbitrary File Upload Vulnerability in Gravity Forms WordPress Plugin (copy_post_image Function) | CVE-2025-12352

Description:
The Gravity Forms WordPress plugin (all versions up to 2.9.20) suffers from an arbitrary file upload vulnerability due to missing file type validation in the copy_post_image() function. Unauthenticated attackers can upload arbitrary files to the website’s server if these conditions are met: allow_url_fopen is enabled, the post creation form is enabled, and the form includes a file upload field.

Potential Impacts:

• Remote Code Execution: Uploaded malicious files might be executed on the server.
• Website Compromise: Attackers could gain full control over the WordPress site, including data theft or defacement.
• Malware Deployment: Attackers may install backdoors, web shells, or other malicious payloads.
• Data Exposure: Sensitive data stored on the server could be accessed.
• Service Disruption: Website functionality might be defaced or disrupted.

Mitigation Recommendations:

• Update Gravity Forms Plugin: Upgrade to versions beyond 2.9.20 where the vulnerability is fixed.
• Disable allow_url_fopen: Set this to Off unless explicitly needed and secured.
• Restrict File Uploads: Enforce strict server-side file type validation.
• Harden Web Server: Use security modules (like mod_security) and WAFs to block malicious uploads.
• Monitor Upload Activity: Log and review file uploads for suspicious content.
• Backup & Recovery: Regularly backup website files and databases to enable quick recovery.
• User Education: Train site administrators to recognize suspicious activities and follow security best practices.

Authentication Bypass and SQL Injection Leading to Remote Code Execution in Advantech iView SNMP Management Tool | CVE-2022-50595

Description:
Advantech iView versions prior to v5.7.04 build 6425 include a critical vulnerability in the SNMP management tool. Remote attackers can bypass authentication and exploit SQL injection via the ztp_search_value parameter on the NetworkServlet endpoint. Successful exploitation leads to remote code execution with administrator privileges.

Potential Impacts:

• Remote Code Execution (RCE): Attackers gain the ability to run arbitrary commands with admin privileges.
• Full System Compromise: Complete control over the device or management system could be achieved.
• Data Theft or Manipulation: Sensitive network data could be accessed or altered.
• Service Disruption: Network management and monitoring may be disrupted.
• Lateral Movement: Compromised devices may serve as footholds for further attacks.

Mitigation Recommendations:

• Update Software: Upgrade Advantech iView to v5.7.04 build 6425 or later.
• Restrict Network Access: Limit SNMP interface exposure to trusted networks only.
• Implement Firewall Rules: Block unauthorized traffic to management endpoints.
• Monitor Logs: Enable detailed logging and alert on suspicious activity targeting NetworkServlet.
• Apply Least Privilege: Limit admin accounts and closely monitor their usage.
• Incident Response: Isolate affected systems and conduct a full security audit if exploitation is suspected.

🟠 High Severity Vulnerabilities

Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability (CISA KEV) | CVE-2025-11371: An unauthenticated Local File Inclusion (LFI) vulnerability exists in the default installation and configuration of Gladinet CentreStack and TrioFox (all versions up to 16.7.10368.56560). Attackers can exploit this flaw without authentication by requesting arbitrary files from the server filesystem. As a result, system files may be unintentionally disclosed. Notably, exploitation of this vulnerability has been observed in the wild.

Code Injection via Direct Connections in Open WebUI Allowing JavaScript Execution and Account Takeover | CVE-2025-64496: A code injection vulnerability affects Open WebUI (self-hosted AI platform) versions 0.6.224 and earlier within the Direct Connections feature. Malicious external model servers can send Server-Sent Events (SSE) containing execute events. When an attacker-controlled model URL is added to Direct Connections, this causes arbitrary JavaScript to execute in the victim’s browser. This happens because SSE messages from trusted Direct Connection endpoints run without sufficient validation or sanitization.

Arbitrary Code Execution via Insufficient Input Validation in Chrome DevTools | CVE-2025-12907: Google Chrome DevTools versions prior to 140.0.7339.80 suffer from insufficient validation of untrusted input. Specifically, when DevTools processes attacker-controlled content without proper sanitization, malicious code can run if the user interacts with it inside the DevTools interface. However, exploitation requires user action such as opening DevTools while inspecting malicious content. Google classifies this vulnerability as Low severity.

Resource Allocation Without Limits Leading to Denial of Service in File Station 5 | CVE-2025-53410: A resource allocation flaw exists in File Station 5, which lacks limits or throttling. Attackers with valid user accounts can exploit this vulnerability to consume excessive resources. Consequently, other systems, applications, or processes cannot effectively access the same resources. This leads to a Denial of Service (DoS), affecting the availability of services.

🟡 Medium Severity Vulnerabilities

Mark of the Web Bypass via Crafted HTML in Google Chrome Downloads on Windows  | CVE-2025-12905: Google Chrome’s Downloads component on Windows versions prior to 140.0.7339.80 contains an inappropriate implementation vulnerability. Attackers can deliver specially crafted HTML pages that bypass the Mark of the Web (MotW) security feature. MotW flags files downloaded from the internet, enforcing security restrictions when these files are opened. By bypassing MotW, attackers reduce security enforcement on downloaded content. Google rates this vulnerability as Low severity.

Improper Symlink Handling in KubeVirt virt-handler Leading to File Ownership Manipulation  | CVE-2025-64437: KubeVirt (a virtual machine management add-on for Kubernetes) versions before 1.5.3 and 1.6.1 contain a vulnerability in the virt-handler component. It fails to check whether the launcher-sock file is a symbolic link or a regular file properly. If an attacker controls the filesystem of the virt-launcher pod, they can exploit this flaw to change ownership of arbitrary files on the host node. The files become owned by an unprivileged user with UID 107 (the same user as virt-launcher).