Mar 5, 2025 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • WordPress plugin RCE/exploit activity: 2 CVEs flagged today.
  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2024-12799 Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition...

  • CVSS 10
  • Potential privilege escalation to admin/root

New critical disclosure (CVSS 10) — high severity with a short public awareness window before exploit material typically surfaces.

Critical exposure

CVE-2025-25015 Elastic Kibana RCE

  • CVSS 9.9
  • Remote code execution exposure

New critical Elastic Kibana RCE (CVSS 9.9) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2025-25632 Tenda Ac15 Firmware Command Injection

  • CVSS 9.8

New critical Tenda Ac15 Firmware Command Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2023-38693 CVSS 9.8

Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development.

CVE-2024-11951 CVSS 9.8

The Homey Login Register plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.0.

CVE-2024-12097 CVSS 9.8

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Boceksoft Informatics E-Travel allo...

CVE-2024-12281 CVSS 9.8

The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2.

CVE-2024-12799 CVSS 10

Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64 bit allows Privile...

CVE-2024-13147 CVSS 9.8

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Merkur Software B2B Login Panel all...

CVE-2025-25015 CVSS 9.9

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.

CVE-2025-25362 CVSS 9.8

A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a craf...

CVE-2025-25632 CVSS 9.8

Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet.

CVE-2025-27517 CVSS 9.3

Volt is an elegantly crafted functional API for Livewire.

View critical disclosures

cvelogic Threat Intelligence