Ethical Hacking News
A critical Sneeit WordPress RCE vulnerability has been actively exploited in the wild, while a critical ICTBroadcast bug has fueled Frost Botnet attacks. The exploitation of these vulnerabilities underscores the importance of vigilance and proactive measures in maintaining cybersecurity.
The Sneeit WordPress RCE vulnerability (CVE-2025-6389) has a high CVSS score of 9.8 and affects all versions of the Sneeit Framework plugin prior to 8.3.The vulnerability allows attackers to execute code on the server, potentially injecting backdoors or creating new administrative user accounts.Wordfence blocked over 131,000 attempts targeting this flaw, with 15,381 attacks recorded in the past 24 hours alone.The ICTBroadcast bug (CVE-2025-2611) has also been exploited to fuel Frost Botnet attacks, targeting honeypot systems and downloading a shell script stager.The Frost Botnet is considered a relatively small player compared to other DDoS botnets, but its capabilities are not immediately visible.
The cybersecurity landscape continues to be a dynamic and rapidly evolving entity, with new vulnerabilities and exploits emerging on a daily basis. In this latest development, we find ourselves at the mercy of two critical security flaws that have been actively exploited in the wild, leaving countless websites and applications vulnerable to malicious attacks.
Firstly, let us delve into the Sneeit WordPress RCE vulnerability (CVE-2025-6389), which has garnered significant attention due to its high CVSS score of 9.8. This remote code execution vulnerability affects all versions of the Sneeit Framework plugin prior to and including 8.3 and has been patched in version 8.4, released on August 5, 2025. Despite this patch, the plugin still boasts over 1,700 active installations, leaving a significant number of users exposed to potential attacks.
According to Wordfence, the Sneeit Articles pagination callback function accepts user input and passes it through call_user_func(), creating an environment in which unauthenticated attackers can execute code on the server. This malicious activity can be leveraged to inject backdoors or create new administrative user accounts, allowing attackers to seize control of sites and inject malicious code that can redirect visitors to sketchy sites, malware, or spam.
The exploitation of this vulnerability commenced on November 24, 2025, with Wordfence blocking over 131,000 attempts targeting the flaw. Out of these, 15,381 attack attempts were recorded over the past 24 hours alone. The malicious HTTP requests sent by attackers are designed to create a malicious admin user account and upload a malicious PHP file called "tijtewmg.php" that likely grants backdoor access.
The attacks originated from several IP addresses, including 185.125.50[.]59, 182.8.226[.]51, 89.187.175[.]80, 194.104.147[.]192, 196.251.100[.]39, 114.10.116[.]226, and 116.234.108[.]143.
Furthermore, the attackers also observed malicious PHP files that come with capabilities to scan directories, read, edit, or delete files and their permissions, as well as allow for the extraction of ZIP files. These PHP files go by the names "xL.php," "Canonical.php," ".a.php," and "simple.php." The Wordfence researchers noted that one of these PHP files, called "up_sf.php," downloads an ".htaccess" file from an external server ("racoonlab[.]top") onto the compromised host.
In a separate development, the ICTBroadcast bug (CVE-2025-2611) has also been exploited to fuel Frost Botnet attacks. This critical vulnerability targets honeypot systems, downloading a shell script stager that downloads multiple architecture-specific versions of a binary called "frost." Each downloaded version is executed, followed by the deletion of payloads and the stager itself to cover up traces of the activity.
The 'frost' binary combines DDoS tooling with spreader logic that includes fourteen exploits for fifteen CVEs. Notably, it checks the target first and only proceeds with exploitation when it sees specific indicators it expects. The attacks are launched from the IP address 87.121.84[.]52.
While there have been numerous vulnerabilities exploited in recent times, evidence suggests that this particular ICTBroadcast exploit may be a targeted operation due to the limited number of internet-exposed systems susceptible to these CVEs, which totals fewer than 10,000.
The Frost Botnet is considered a relatively small player compared to other DDoS botnets, as its capabilities are not immediately visible. However, it is clear that the operator behind this exploit has additional capabilities not yet observable here.
In conclusion, this latest report serves as a stark reminder of the importance of vigilance and proactive measures in maintaining cybersecurity. The exploitation of these two critical vulnerabilities underscores the need for constant monitoring and swift action to address emerging threats.
As the threat landscape continues to evolve at an unprecedented rate, it is crucial that users remain vigilant and adapt their security strategies accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Examination-of-the-Exploitation-of-Sneeit-WordPress-RCE-Vulnerability-and-the-ICTBroadcast-Flaw-Fuels-Frost-Botnet-Attacks-ehn.shtml
https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
https://nvd.nist.gov/vuln/detail/CVE-2025-6389
https://www.cvedetails.com/cve/CVE-2025-6389/
https://nvd.nist.gov/vuln/detail/CVE-2025-2611
https://www.cvedetails.com/cve/CVE-2025-2611/
Published: Mon Dec 8 04:02:47 2025 by llama3.2 3B Q4_K_M
