The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two important security flaws affecting Erlang/Open Telecom Platform (OTP) SSH to its known exploited vulnerabilities (KEV) catalog based on evidence of active exploitation.
The vulnerabilities in question are listed below –
CVE-2025-32433 (CVSS score: 10.0) – Lack of authentication for critical function vulnerabilities in ERLANG/OTP SSH servers that allow attackers to execute arbitrary commands without valid credentials, leading to potentially unrecognized remote code execution. (Fixed in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20) CVE-2024-42009 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in RoundCube Webmail that could allow a remote attacker to steal and send emails of a victim via a crafted email message by taking advantage of a desanitization program/action/mail/show.php published (fixed in August 2024 with versions 1.6.8 and 1.5.8)
Currently there is no details on how the two vulnerabilities are being exploited in the wild and by whom. Last month, ESET revealed that a Russian-related threat actor known as APT28 has exploited several XSS flaws in Round Cube, Horde, Mdaemon and Zimbra, targeting Eastern European government agencies and defense companies. It is not clear whether CVE-2024-42009 abuse is related to this activity.
According to Censys data, there are 340 exposed Erlang servers, but we note that not all instances are necessarily susceptible to flaws. Public disclosure of CVE-2025-32433 was followed by the release of several proof of concept (POC) exploits soon after.
In light of aggressive exploitation, a Federal Private Enforcement Division (FCEB) agency is required to apply necessary modifications by June 30, 2025 for optimal protection.
The development allows attackers to seize control of users on the site without authentication as PatchStack flags the acquisition vulnerability of the unearned accounts of WordPress Payu CommercePro plugin (CVE-2025-31022, CVSS score: 9.8).
This can have serious consequences if an attacker can hijack an administrator account, take over the site and allow it to take malicious actions. The vulnerability affects versions 3.8.5 and earlier. The plugin has over 5,000 active installations.
The problem relates to a function called “update_cart_data()”. This is called from an endpoint named “/payu/v1/get-shipping-cost” which handles the e-commerce order of the provided email address, if so, whether it exists.
However, to check for valid tokens linked to hardcoded email addresses (“commerce.pro@payu[.]There is another REST API for generating authentication tokens for “in” and for specific email (“/payu/v1/generate-user-token”). Attackers can exploit this behavior to get the token corresponding to “commerce.pro@payu.”[.]”Send a request to /Payu/V1/Get-Shipping-Cost and hijack your account.
Users are advised to disable and remove the plugin until a patch for the vulnerability is available.
“We need to make sure that unauthenticated REST API endpoints are not overly tolerated and provide more access to users,” PatchStack said. “We also do not recommend hardcoding sensitive or dynamic information such as email addresses that you use for other cases within your codebase.”
Source link
