The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two critical security flaws impacting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities in question are listed below –
- CVE-2025-32433 (CVSS score: 10.0) – A missing authentication for a critical function vulnerability in the Erlang/OTP SSH server that could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution. (Fixed in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)
- CVE-2024-42009 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in RoundCube Webmail that could allow a remote attacker to steal and send emails of a victim via a crafted email message by taking advantage of a desanitization issue in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6.8 and 1.5.8)
There are currently no details on how the two vulnerabilities are exploited in the wild, and by whom. Last month, ESET revealed that the Russia-linked threat actor known as APT28 exploited several XSS flaws in Roundcube, Horde, MDaemon, and Zimbra to target governmental entities and defense companies in Eastern Europe. It’s not clear if the abuse of CVE-2024-42009 is related to this activity or something else.
According to data from Censys, there are 340 exposed Erlang servers, although it bears noting that not all instances are necessarily susceptible to the flaw. The public disclosure of CVE-2025-32433 has been quickly followed by the release of several proof-of-concept (PoC) exploits for it.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by June 30, 2025, for optimal protection.
The development comes as Patchstack flagged an unpatched account takeover vulnerability in the PayU CommercePro plugin for WordPress (CVE-2025-31022, CVSS score: 9.8) that enables an attacker to seize control of any user of a site without any authentication.
This can have serious consequences when the attacker is able to hijack an administrator account, permitting them to take over the site and perform malicious actions. The vulnerability affects versions 3.8.5 and before. The plugin has over 5,000 active installations.
The problem has to do with a function called “update_cart_data(),” which, in turn, is invoked from an endpoint named “/payu/v1/get-shipping-cost” that checks if a provided email address exists, and if so, processes the e-commerce order for checkout.
But because the endpoint checks for a valid token linked to a hard-coded email address (“commerce.pro@payu[.]in”) and there exists another REST API to generate an authentication token for a given email (“/payu/v1/generate-user-token”), an attacker could exploit this behavior to obtain the token corresponding to “commerce.pro@payu[.]in” and send a request to “/payu/v1/get-shipping-cost” and hijack any account.
Users are advised to deactivate and delete the plugin until a patch for the vulnerability is made available.
“It is necessary to ensure that the unauthenticated REST API endpoints are not overly permissive and provide more access to the users,” Patchstack said. “Also, hard-coding sensitive or dynamic information such as email addresses to use it for other cases inside the codebase is not recommended.”
