What is CVE-2025-10035? A new critical vulnerability, CVE-2025-10035, has been disclosed in Fortra’s GoAnywhere MFT, a widely used managed file transfer solution. The flaw lies in the License Servlet and allows unauthenticated attackers to achieve remote code execution (RCE) through crafted license responses. The vendor has rated this vulnerability as Critical (CVSS 10.0) due to... The post CVE-2025-10035 Critical Remote Code Execution in Fortra GoAnywhere MFT appeared first on IONIX.| IONIX
IONIX uncovers blind spots of AI risk - experimental AI projects are being deployed without governance, bypassing the usual security reviews. These assets often remain connected to critical infrastructure, meaning what starts as a “temporary” experiment can quickly escalate into a major breach risk.| IONIX
Overview The IONIX research team is tracking CVE-2025-42944, an insecure deserialization vulnerability affecting SAP NetWeaver AS Java’s RMI-P4 module—a critical issue warranting immediate attention. What’s at Risk? Context & Why It Matters Current State of Exploitation IONIX Recommendations Who Might Be Affected? Final Take CVE-2025-42944 is a textbook example of how insecure deserialization can escalate... The post CVE-2025-42944 — Insecure Deserialization in SAP NetWeaver appeared ...| IONIX
Summary A critical Server-Side Request Forgery (SSRF) vulnerability—CVE-2025-8085—has been discovered in the popular WordPress plugin “Ditty (News Ticker & Display Items)” for versions prior to 3.1.58. The issue resides in the displayItems REST API endpoint (wp-json/dittyeditor/v1/displayItems), which lacks authentication and authorization, allowing unauthenticated attackers to force the server to fetch arbitrary URLs—internal or external—via crafted... The post Unauthenticated SS...| IONIX
In today’s digital landscape, web application security is more critical than ever. Most organizations rely on Cloud-Based Security Providers offering integrated Web Application Firewalls (WAFs) and Content Delivery Networks (CDNs), for shielding their assets from direct exposure and attacks such as SQL injection, XSS, and DDoS. One of the most insidious threats is the origin... The post No More Blind Spots: Detecting WAF / CDN Control Bypass in IONIX Exposure Management appeared first on IO...| IONIX
Validating external reachability is not just a good practice, it is the bedrock of exposure management. Without proving what is actually reachable, you cannot know your true attack surface or prioritize what needs to be fixed first.| IONIX
Overview A new critical vulnerability has been identified in FreePBX, the widely adopted open-source, web-based graphical user interface for managing Asterisk PBX systems. Tracked as CVE-2025-57819, this flaw affects FreePBX versions 15, 16, and 17 and enables unauthenticated attackers to bypass administrator login controls. Once inside, threat actors can perform SQL Injection attacks that lead... The post FreePBX Authentication Bypass Leading to SQL Injection and RCE (CVE-2025-57819) appeare...| IONIX
zero-day vulnerability, CVE-2025-7775, has been disclosed in Citrix NetScaler ADC and Gateway appliances. This flaw is classified as a memory overflow vulnerability| IONIX
A critical remote code execution vulnerability, CVE-2025-54309, has been disclosed in CrushFTP, a popular managed file transfer (MFT) solution. This flaw allows unauthenticated remote attackers to gain full administrative access to vulnerable systems over HTTPS – without triggering authentication controls.| IONIX
