Cal.com has patched a critical authentication bypass (CVE-2025-66489) that allowed attackers to submit any non-empty TOTP field and skip password checks. Versions ≤5.9.7 were impacted.

Update to 5.9.8 to ensure both password and TOTP verification are enforced.
How should MFA implementations be validated to prevent logic gaps like this?

Source: https://gbhackers.com/critical-cal-com-flaw-allows-attackers-to-bypass-authentication-using-fake-totp-codes/

Share your insights and follow us for more security reporting.

#infosec #appsec #CVE2025 #authentication #MFA #ThreatIntel #SecureCoding #SoftwareSecurity #VulnerabilityManagement #SecurityUpdate

NextJS Security Vulnerability

https://nextjs.org/blog/CVE-2025-66478

#HackerNews #NextJS #Security #Vulnerability #NextJS #Security #Vulnerability #Cybersecurity #WebDevelopment #SoftwareSecurity #CVE2025

🛡️ CVE-2025-13646: HIGH severity in wpchill Image Gallery for WordPress (v2.13.1). Authenticated Author+ users can upload dangerous files, risking RCE. Restrict roles, monitor uploads, and patch ASAP. https://radar.offseq.com/threat/cve-2025-13646-cwe-434-unrestricted-upload-of-file-7a8848e4 #OffSeq #WordPress #Vuln #CVE2025 #Cybersecurity

⚠️ CRITICAL: CVE-2025-13658 hits Industrial Video & Control Longwatch v6.309 — remote unauthenticated code execution via HTTP GET grants SYSTEM privileges. No patch yet. Segment, restrict access, monitor traffic. Full advisory: https://radar.offseq.com/threat/cve-2025-13658-cwe-94-improper-control-of-generati-128a847f #OffSeq #OTSecurity #CVE2025

ASUS has patched a high-severity local privilege escalation flaw (CVE-2025-59373) in MyASUS that allowed elevation to NT AUTHORITY/SYSTEM via the System Control Interface Service. Patch now shipped through Windows Update with updated versions for x64 and ARM.

Full details:
https://www.technadu.com/asus-fixes-high-severity-myasus-vulnerability-that-allows-privilege-escalation-to-system-level-access/614620/

#infosec #vulnerability #ASUS #WindowsSecurity #patchmanagement #CVE2025

🚨 CVE-2025-13597 (CRITICAL): soportecibeles AI Feeds ≤1.0.11 for WordPress allows unauthenticated file uploads via 'actualizador_git.php', enabling RCE. Restrict access & monitor file integrity while awaiting patch. Details: https://radar.offseq.com/threat/cve-2025-13597-cwe-434-unrestricted-upload-of-file-188b0f58 #OffSeq #WordPress #CVE2025

Threat actors are actively exploiting CVE-2025-59287 in WSUS to deploy ShadowPad.

ASEC notes the attackers used PowerCat for shell access, then fetched and installed ShadowPad with certutil/curl, executing it through DLL side-loading.

How are you securing WSUS or other update infrastructure in your environment?
💬 Share your insights
⭐ Follow TechNadu for timely threat intel

#infosec #WSUS #ShadowPad #CVE2025 #malware #threatintel #sysadmin #DFIR #TechNadu

🔥 CVE-2025-13551 (HIGH): Buffer overflow in D-Link DIR-822K/DWR-M920 (firmware 1.00_20250513164613, 1.1.50). Remote, unauthenticated RCE possible; public exploit out. Isolate & monitor now! More: https://radar.offseq.com/threat/cve-2025-13551-buffer-overflow-in-d-link-dir-822k-fa75096a #OffSeq #DLink #CVE2025 #RouterSecurity

🚨 CVE-2025-64762 (HIGH): workos authkit-nextjs <2.11.1 fails to set anti-caching headers, risking session token leaks via CDN caches. Upgrade to 2.11.1+ or review CDN cache configs now! https://radar.offseq.com/threat/cve-2025-64762-cwe-524-use-of-cache-containing-sen-e4c820e8 #OffSeq #Nextjs #Security #CVE2025

🚨 CRITICAL: CVE-2025-64310 in EPSON WebConfig for Projectors enables unlimited login attempts, risking brute force admin password attacks. Check vendor for affected versions & mitigation steps. https://radar.offseq.com/threat/cve-2025-64310-improper-restriction-of-excessive-a-919b7551 #OffSeq #CVE2025 #Vuln #InfoSec

🚨 CVE-2025-13035: HIGH severity PHP code injection in Code Snippets plugin (≤3.9.1) for WordPress. Attackers with Contributor+ access & admin action can run arbitrary code. Disable file-based execution & restrict access. Details: https://radar.offseq.com/threat/cve-2025-13035-cwe-94-improper-control-of-generati-5296eda6 #OffSeq #WordPress #CVE2025 #Security

🛡️ CVE-2025-13258: HIGH severity buffer overflow in Tenda AC20 routers (≤16.03.08.12) via /goform/WifiExtraSet. Public exploit out—remotely exploitable, no auth needed. Restrict access, monitor, and patch ASAP. https://radar.offseq.com/threat/cve-2025-13258-buffer-overflow-in-tenda-ac20-f036b48b #OffSeq #CVE2025 #Tenda #BufferOverflow

🔒 CRITICAL: CVE-2025-12866 in Hundred Plus EIP Plus — weak forgot password allows remote reset of any account! All versions vulnerable. Disable recovery, enforce MFA, monitor resets. More info: https://radar.offseq.com/threat/cve-2025-12866-cwe-640-weak-password-recovery-mech-3284230c #OffSeq #CVE2025 #Infosec #Vuln

⚠️ CVE-2025-12865: HIGH severity SQL Injection in e-Excellence U-Office Force allows authenticated attackers to manipulate DB data. No patch yet — validate inputs, use WAFs, restrict DB rights. Details: https://radar.offseq.com/threat/cve-2025-12865-cwe-89-improper-neutralization-of-s-8e7a12b0 #OffSeq #SQLInjection #CVE2025 #InfoSec

🚨 CVE-2025-12158 (CRITICAL): Simple User Capabilities plugin for WordPress lets unauthenticated attackers grant admin rights via missing auth in suc_submit_capabilities(). Disable plugin ASAP. No patch yet! https://radar.offseq.com/threat/cve-2025-12158-cwe-862-missing-authorization-in-ta-2fe2b264 #OffSeq #WordPress #CVE2025 #infosec

⚠️ CVE-2025-12601 (CRITICAL, CVSS 10): Azure Access Tech BLU-IC2/IC4 (≤1.19.5) vulnerable to SlowLoris DoS. No patch—use WAF/IPS, tighten timeouts, monitor for anomalies. Protect critical services! https://radar.offseq.com/threat/cve-2025-12601-cwe-730-denial-of-service-in-azure--b3b372c1 #OffSeq #Azure #DoSVuln #CVE2025

🚨 CRITICAL: CVE-2025-8489 in King Addons for Elementor (WordPress). All versions let unauth attackers create admin accounts due to improper privilege controls (CWE-269). Disable plugin, monitor registrations, and enforce MFA. https://radar.offseq.com/threat/cve-2025-8489-cwe-269-improper-privilege-managemen-b5b3a721 #OffSeq #WordPress #Infosec #CVE2025

🔥 CVE-2025-48983 (CRITICAL, CVSS 10): Veeam Backup & Replication 12.3.2 is vulnerable to authenticated RCE via the Mount service. Patch as soon as available, restrict domain access, and monitor backup hosts! https://radar.offseq.com/threat/cve-2025-48983-vulnerability-in-veeam-backup-and-r-c62835d7 #OffSeq #Veeam #CVE2025 #RCE

🛡️ CRITICAL: CVE-2025-12478 affects Azure Access BLU-IC2 & BLU-IC4 (≤1.19.5) via weak TLS (CWE-326). Exploitable remotely, risking data & service integrity. Harden configs, monitor traffic, and prep for patches. More: https://radar.offseq.com/threat/cve-2025-12478-cwe-326-inadequate-encryption-stren-0796a748 #OffSeq #Azure #CVE2025 #TLS

🚨 CRITICAL: CVE-2025-12423 (CVSS 10) in Azure BLU-IC2 & IC4 (≤1.19.5) allows remote DoS via protocol manipulation (CWE-248). No patch yet—apply filtering, segment networks, and monitor logs. Stay proactive! https://radar.offseq.com/threat/cve-2025-12423-cwe-248-uncaught-exception-in-azure-9b7c3217 #OffSeq #AzureSecurity #CVE2025 #BlueTeam