Cybersecurity and US Infrastructure Agency (CISA) added Two critical security deficiencies that affectShip) A catalog based on evidence of active operation.
The vulnerabilities in question are below –
- Cve-2025-32433 (CVSS assessment: 10.0) – lack of authentication for the vulnerability of a critical function on the Erlang/OTP SS server, which can allow the attacker to perform arbitrary commands without valid credentials, which may lead to the false distance code. (Fixed in April 2025 in versions of OTP-27.3.3, OTP-26.5.11 and OTP-25.3.20)
- Cve-2024-42009 (CVSS assessment: 9.3) – Vulnerability in crossed sites (XSS) in the Webmail RoundCube, which can allow a remote attacker to steal and send the victim’s emails through the e -mail message, taking advantage of the pairing problem in the program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6.8 and 1.5.8)
Currently, there are no details about how two vulnerabilities are used in the wild and who. Last month ESET disclosed The fact that the Russian actor threatens, known as APT28, used several shortcomings XSS in RoundCube, Horde, Mdaemon and Zimbra to focus on state structures and defense companies in Eastern Europe. It is unclear whether the Cve-2024-42009 abuse is related to this activity or something else.
According to the data from the qualification, there is 340 exposed Erlang serversAlthough he notes that not all cases are necessarily sensitive. Public disclosure Cve-2025-32433 was quickly accompanied exemption of several Proof of concept (POC) feats for this.
In light of the active operation of the Federal Civil Executive Agency (FCEB), the necessary fixes should be applied by June 30, 2025 for optimal protection.
Development comes as Patchtack named Unpocated Vulnerability of the Payu CommercePro PayPro PayPro-in-PayPro (CVE-2025-31022, CVS Plague Estimate: 9.8), which allows the attacker to seize control over any site without authentication.
This may have serious consequences if the attacker is able to steal an administrator account, allowing them to capture the site and perform malicious actions. The vulnerability affects the 3.8.5 version before. The plugin is over 5000 active installations.
The problem is related to the feature called “Update_cart_data ()”, which, in turn, is caused by the final point called “/Payu/V1/Get Hering Cost”, which checks when provided an e -mail address, and if yes, processes the order of e -commerce for ordering.
But since the final point checks the valid token related to the hard address of the email (“commerce.pro@payu (.) In”), and there is another api rest to create authentication markers (“/Payu/v1/Greate-User-Tiken”), the attacker can use this behavior Herate (. Request on “/Payu/V1/Extizing Cost” and steal any account.
Users are advised to deactivate and remove the plugin until the patch is available for vulnerability.
“It is necessary to make sure that the unauthorized end points of API Rest will not be too acceptable and provide more access to users,” Patchstack said. “In addition, it is not recommended, sensitive to solid coding or dynamic information, such as email addresses to use it for other cases in the code base.”
