Skip to main content
CVE-2025-66848 CRITICAL Act Now

Remote command execution in JD Cloud NAS-series routers (AX1800, AX3000, AX6600, BE6500, ER1 and ER2 firmware) allows unauthenticated network attackers to inject and run arbitrary OS commands on the device. The flaw is rated CVSS 9.8 with an unauthenticated network vector, and while no public exploit has been identified, its EPSS of 1.01% (59th percentile) reflects moderate near-term exploitation likelihood. Successful abuse yields full control of the router, making it a pivot point into the internal network.

Code Injection RCE Ax1800 Firmware Ax3000 Firmware Ax6600 Firmware +3
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-52835 CRITICAL Act Now

CSRF vulnerability in WING WordPress Migrator plugin through version 1.2.0 permits unauthenticated attackers to upload web shells to affected WordPress sites by tricking site administrators into visiting a malicious webpage. The vulnerability exploits missing nonce verification in file upload functionality, enabling arbitrary code execution with web server privileges. No public exploit code or active exploitation confirmed at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy