IoT devices infected, malware on Android devices, vulnerabilities for HiveOS and WordPress...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
WordPress Plugin Vulnerability Exposes 10,000 Sites to Code Execution Attacks
A critical security flaw in the GiveWP Donation Plugin tracked as CVE-2025-0912, has exposed over 100,000 WordPress websites to unauthenticated remote code execution (RCE) attacks.
The vulnerability, scoring a maximum CVSS 9.8 (Critical) severity rating, originates from improper handling of user-supplied data in the plugin’s donation form processing logic.
Exploiting this flaw allows attackers to inject malicious PHP objects via deserialization of untrusted input, leveraging a POP (Property-Oriented Programming) chain to achieve full server compromise.
The vulnerability resides in the plugin’s handling of the card_address parameter within donation forms.
Versions up to and including 3.19.4 fail to validate or sanitize serialized data passed through this field, enabling PHP Object Injection (CWE-502).
During donation processing, the give_process_donation_form() function deserializes user input without proper checks, allowing attackers to craft payloads that instantiate arbitrary PHP objects.
A critical factor enabling RCE is the presence of exploitable POP chains in the plugin’s codebase. These chains allow attackers to string together gadget methods such as destructors or wakeup functions to escalate object injection into system command execution, reads Wordfence report.
HiveOS Vulnerabilities Let Attackers Execute Arbitrary Commands
Security researchers have uncovered three critical vulnerabilities in Extreme Networks’ IQ Engine (HiveOS) that collectively enable authenticated attackers to escalate privileges, decrypt passwords, and execute arbitrary commands on affected systems.
The flaws—tracked as CVE-2025-27229, CVE-2025-27228, and CVE-2025-27227—were disclosed through coordinated efforts led by Lukas Schauer of Bonn-Rhein-Sieg University of Applied Sciences, prompting Extreme Networks to release patched firmware (version 10.7r5).
The most severe vulnerability, CVE-2025-27229, stems from improper sanitization of SSH tunnel configurations in HiveOS versions prior to 10.7r5.
Attackers with authenticated user access could manipulate SSH parameters to inject malicious arguments into the sshd service, bypassing privilege controls to gain root shell access.
This exploit leverages the lack of input validation in the tunnel.c module, where environment variables like PermitRootLogin and AllowTcpForwarding are dynamically configured without sandboxing.
Parallel to this, CVE-2025-27228 exposes a cryptographic weakness in HiveOS’ command-line interface (CLI).
The user-config utility stores passwords using a deterministic encryption algorithm with a static initialization vector (IV), allowing authenticated users to decrypt credentials via CLI commands.
Researchers demonstrated that hashes encrypted with AES-256-CBC could be reversed in under 90 seconds using GPU-accelerated brute-force attacks.
These vulnerabilities create a trifecta of risks for enterprises using unpatched HiveOS deployments. An attacker with low-privilege credentials could:
- Extract administrative passwords via CVE-2025-27228
- Escalate to root using CVE-2025-27229
- Deploy persistent backdoors via CVE-2025-27227
Cyber Attacks
BadBox malware disrupted on 500K infected Android devices
The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sink holing communications for half a million infected devices.
The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones.
These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads.
The malware then turns the devices into residential proxies, generates fake ad impressions on the infected devices, redirects users to low-quality domains as part of fraudulent traffic distribution operations, and uses people’s IPs to create fake accounts and perform credential stuffing attacks.
Last December, German authorities disrupted the malware for infected devices in the country. However, a few days later, BitSight reported that the malware had been found in at least 192,000 devices, showing resilience against law enforcement action.
Since then, it is estimated that the botnet has grown to over 1,000,000 infections, impacting Android devices in 222 countries, with most located in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%).
New Eleven11bot botnet infects 86,000 devices for DDoS attacks
A new botnet malware named ‘Eleven11bot’ has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks.
The botnet, which is loosely linked to Iran, has already launched distributed denial of service (DDoS) attacks targeting telecommunication service providers and online gaming servers.
Eleven11bot was discovered by Nokia researchers who shared the details with the threat monitoring platform GreyNoise.
The video player is currently playing an ad. You can skip the ad in 5 sec with a mouse or keyboard
Nokia’s security researcher, Jérôme Meyer, commented that Eleven11bot is one of the largest DDoS botnets they have observed in recent years.
“Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices,” stated Meyer on LinkedIn.
“Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.”
Earlier today, threat monitoring platform The Shadowserver Foundation reported seeing 86,400 devices infected by the Eleven11bot botnet, with most in the United States, the United Kingdom, Mexico, Canada, and Australia.
BigAnt Server 0-day Vulnerability Let Attackers Execute Malicious Code Via File Uploads
A critical zero-day vulnerability in BigAntSoft’s BigAnt Server (CVE-2025-0364) allows unauthenticated attackers to execute arbitrary code on affected systems through a chain of SaaS registration abuses and PHP file uploads.
The flaw, discovered by VulnCheck researchers during an analysis of a misrated CVSS score for CVE-2024-54761, impacts all versions ≤5.6.06 of the Windows-based enterprise chat platform.
The exploit chain begins with a default-enabled SaaS registration portal at /index.php/Home/Saas/reg_email.html, which permits organizational account creation after solving a basic CAPTCHA challenge.
Attackers leverage this to create administrative accounts tied to attacker-controlled SaaS organizations.
The registration process exposes critical session variables through debug endpoints like /index.php/Addin/login/index.html, enabling UUID extraction for SaaS activation.
Post-registration, attackers manipulate session cookies to hijack the SaaS context. This forces the server to bind the session to the malicious SaaS organization, allowing access to the Cloud Drive Add-in.
The system improperly validates file uploads in the Add-in module, accepting PHP files without authentication checks.
In Other News...
New Microsoft 365 outage impacts Teams, causes call failures
Microsoft is investigating a new Microsoft 365 outage that is affecting Teams customers and causing call failures.
Since the incident started more than one hour ago, outage monitoring service Downdetector has received hundreds of reports, with affected users saying they’re also experiencing authentication problems.
“Users may not be able to receive calls placed through Microsoft Teams-provisioned auto attendants and call queues,” the company said in a new service alert (TM1022107) in the Microsoft 365 admin center.
The video player is currently playing an ad. You can skip the ad in 5 sec with a mouse or keyboard
“We’re analyzing service telemetry and call metadata to better understand the nature of impact and determine our next steps.”
Microsoft has yet to share what regions are impacted by this ongoing outage and more information on the incident’s root cause.
Despite Redmond saying the incident only affects the Teams communication platform, users report a much broader impact. They’re also experiencing issues connecting to Outlook, OneDrive, and Exchange or checking email messages.