Critical Cyber Vulnerabilities Exposed: Act Now!

Welcome to today’s cybersecurity roundup, where we cover a selection of critical vulnerabilities and noteworthy cyber incidents making waves in the industry. Grab a cuppa as we delve into the latest findings and important patches that could save you a headache later.

CVE-2025-4496: TOTOLINK CloudACMunualUpdate Buffer Overflow

A critical vulnerability has been discovered in several TOTOLINK devices (including models T10, A3100R, A950RG, A800R, N600R, A3000RU and A810R) running firmware version 4.1.8cu.5241_B20210927. This issue affects the CloudACMunualUpdate function via the /cgi-bin/cstecgi.cgi script. By manipulating the FileName parameter, an attacker can trigger a buffer overflow, potentially paving the way for remote exploits. With a severity rating of 8.8, organisations should be on high alert and update their devices without delay.

CVE-2025-47269: Code-server Proxy Pathway Token Exfiltration

In another alarming development, a vulnerability was found in code-server (the service that powers VS Code on virtually any machine via a browser), affecting versions prior to 4.99.4. A cleverly crafted URL using the proxy subpath can trick the system into proxying requests to an attacker-controlled domain, thereby exposing the session token. With a high severity score of 8.3, patching to version 4.99.4 is essential to secure access and avoid potentially disastrous consequences.

Multiple Vulnerabilities in SourceCodester Client Database Management System 1.0

The SourceCodester Client Database Management System is currently in the spotlight with several critical vulnerabilities. These include:

• CVE-2025-46191: An arbitrary file upload vulnerability in user_payment_update.php (severity 9.8) allows unauthenticated users to upload executable PHP files, leading to remote code execution.
• CVE-2025-46190: A SQL injection flaw in user_delivery_update.php, enabling malicious SQL commands through the order_id POST parameter (severity 9.8).
• CVE-2025-46192: Similar SQL injection vulnerability in user_payment_update.php, again through the order_id POST parameter (severity 9.8).
• CVE-2025-46189: Another SQL injection vector in user_order_customer_update.php via the order_id POST parameter (severity 9.8).
• CVE-2025-46188: A final SQL injection risk found in superadmin_phpmyadmin.php (severity 9.8).

With multiple vulnerabilities scoring critically high, security-minded developers and administrators need to act swiftly to mitigate any risks posed by these flaws.

CVE-2025-29509: Jan Electron Remote Code Execution

The Jan communication app, versions v0.5.14 and earlier, faces a severe security threat where a remote code execution (RCE) vulnerability is triggered when a user clicks a rendered link. Faulty handling of external URLs within the app exposes electronAPI, giving attackers an opening. The vulnerability boasts a critical severity of 9.8, and users are advised to update to a patched version promptly.

Other Critical Vulnerabilities: Tenda and Victure

Devices from Tenda and Victure have also come under scrutiny:

• CVE-2025-45513: A stack overflow vulnerability in the Tenda FH451 router (severity 9.8) relating to the P2pListFilter function.
• CVE-2025-28203: A command injection vulnerability in the Victure RX1800 (severity 9.8) that could allow remote execution of arbitrary commands.
• CVE-2025-28202: An authentication bypass in the Victure RX1800 permitting attackers to enable SSH and Telnet without proper authorisation (severity 9.8).

Recent Cyber Attacks and Evolving Threats

Beyond vulnerability announcements, several cyber incidents have been making headlines:

• Co-op Cyber Attack: Islanders on Islay have experienced empty shelves following disruptions from a supermarket hack – a stark reminder that cyber threats can quickly impact daily life.
• UK Ransomware Concerns: Experts are warning that ransomware techniques are rapidly evolving, prompting calls for the government to bolster cyber resilience across sectors.
• South African Airways Incident: A brief cyberattack affected SAA’s website and app. While core flight operations were unaffected, the episode is a wake-up call for enhanced cyber defenses.
• DragonForce Social Engineering: UK IT help desks have been targeted by sophisticated social engineering attacks, a tactic once seen in high-profile breaches at Co-op and Marks & Spencer.
• Malvertising and Chinese Espionage: Cybercriminals are using Facebook ads to deploy multi-stage malware, and Chinese threat actors have been linked to attacks on SAP NetWeaver servers – both of which highlight the complex challenges facing modern cybersecurity.

Industry Developments

In more optimistic news, Resecurity has unveiled Resecurity One, a next-generation cybersecurity platform combining digital risk management, endpoint protection, and more, aimed at providing comprehensive defence against evolving threats. This development offers a promising glimpse into the future of holistic cyber protection.

Keeping track of and mitigating these vulnerabilities can feel like a full-time job, but that’s why businesses seek specialised support. Here at Synergos Consultancy, based in Huddersfield, we’re committed to helping organisations navigate these complex compliance landscapes, from ISO certifications to robust cybersecurity standards. Staying ahead in cybersecurity is not just about patching vulnerabilities—it’s about building resilient processes and smart risk management strategies.

Another day in the cyber world reminds us that while the threats evolve, so too does our ability to combat them. Stay updated, keep your systems patched, and take cybersecurity one proactive step at a time!