Sneeit WordPress RCE Exploited in Active Attacks

First reported

08.12.2025 11:15

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical remote code execution (RCE) vulnerability (CVE-2025-6389) in the Sneeit Framework plugin for WordPress is being actively exploited in the wild. The flaw, affecting versions up to 8.3, allows unauthenticated attackers to execute arbitrary PHP functions, including creating malicious administrator accounts and injecting backdoors. Exploitation began on November 24, 2025, with over 131,000 attack attempts blocked by Wordfence. Additionally, a critical flaw in ICTBroadcast (CVE-2025-2611) is being exploited to deliver the Frost DDoS botnet. The botnet uses multiple exploits to spread and conduct targeted DDoS attacks, with evidence pointing to a small, targeted operation.

Timeline

08.12.2025 11:15 1 articles · 23h ago

Sneeit WordPress RCE Exploited in Active Attacks
A critical remote code execution (RCE) vulnerability (CVE-2025-6389) in the Sneeit Framework plugin for WordPress is being actively exploited in the wild. The flaw, affecting versions up to 8.3, allows unauthenticated attackers to execute arbitrary PHP functions, including creating malicious administrator accounts and injecting backdoors. Exploitation began on November 24, 2025, with over 131,000 attack attempts blocked by Wordfence.
Show sources

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
Open in new tab

Information Snippets

The Sneeit Framework plugin vulnerability (CVE-2025-6389) affects versions up to and including 8.3 and has a CVSS score of 9.8.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
The vulnerability is due to the [sneeit_articles_pagination_callback()] function accepting user input and passing it through call_user_func().
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
Attackers can execute arbitrary PHP functions, such as wp_insert_user(), to create malicious administrator accounts.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
Exploitation began on November 24, 2025, with over 131,000 attack attempts blocked by Wordfence.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
Attackers have used IP addresses 185.125.50[.]59, 182.8.226[.]51, 89.187.175[.]80, 194.104.147[.]192, 196.251.100[.]39, 114.10.116[.]226, and 116.234.108[.]143.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
Malicious PHP files such as 'xL.php', 'Canonical.php', '.a.php', and 'simple.php' have been observed, capable of scanning directories, reading, editing, or deleting files.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
The 'xL.php' shell is downloaded by 'up_sf.php' and an '.htaccess' file from 'racoonlab[.]top' is used to grant access to files on Apache servers.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
The ICTBroadcast flaw (CVE-2025-2611) has a CVSS score of 9.3 and is being exploited to deliver the Frost DDoS botnet.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
The Frost binary combines DDoS tooling with spreader logic that includes fourteen exploits for fifteen CVEs.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
The Frost binary checks targets for specific indicators before proceeding with exploitation.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
Attacks are launched from the IP address 87.121.84[.]52.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
The operation is small and targeted, with fewer than 10,000 internet-exposed systems susceptible to the exploits.
First reported: 08.12.2025 11:15

1 source, 1 article
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15