Blog

Overview
The Kiwire Captive Portal, provided by SynchroWeb, is an internet access gateway intended for providing guests internet access where many users will want to connect. Three vulnerabilities were discovered within the product, including SQL injection, open redirection, and cross site scripting (XSS), allowing an attacker multiple vectors to compromise the device. All three of the vulnerabilities have been addressed by the vendor. Customers using the Kiwire Captive Portal are recommended to update to the latest version of the product to remediate the vulnerabilities.
Description
The Kiwire Captive Portal is a guest wifi solution that provides users with internet access through a login system. The product is used in various different capacities across different enterprises, including hotels, office systems, and other companies. Three vulnerabilities have been discovered within the product that allow an attacker to compromise the Kiwire Captive Portal database, redirect users to a malicious website, and trigger JavaScript upon visiting the captive portal with the malicious payload appended in the URL.
The following is a list of the CVE assignments and their respective vulnerability details:
CVE-2025-11188
The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database.
CVE-2025-11190
The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker-controlled website.
CVE-2025-11189
The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for JavaScript execution.
Impact
The vulnerabilities allow an attacker to exfiltrate sensitive data from the Kiwire Captive Portal database (CVE-2025-11188), redirect a user attempting to login to the captive portal to a malicious website (CVE-2025-11190), and execute JavaScript on the device that is attempting to login to the captive portal (CVE-2025-11189). It should be noted that in regards to CVE-2025-11189 and CVE-2025-11190, the domain is automatically trusted on most devices, due to it being a local address that users must access prior to being granted internet access.
Solution
A security advisory is available on the Kiwire website: https://www.synchroweb.com/release-notes/kiwire/security
SynchroWeb will be contacting individuals who use affected version to assist in their patching process.
Acknowledgements
Thanks to the reporters, Joshua Chan (josh.chan@lrqa.com) and Ari Apridana (ari.apridana@lrqa.com) of LRQA. This document was written by Christopher Cullen.

Overview
A remote code execution (RCE) vulnerability was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Drayteck. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to inject arbitrary commands through memory corruption with specially crafted HTTP requests.
Description
Vigor routers are business-grade routers, designed for small to medium-sized businesses, made by Draytek. These routers provide routing, firewall, VPN, content-filtering, bandwidth management, LAN (local area network), and multi-WAN (wide area network) features. Draytek uses proprietary firmware, DrayOS, on the Vigor router line. The DrayOS features EasyVPN and LAN Web Administrator facilitate easy setup for administrators. EasyVPN simplifies the setup of secure VPN connections. LAN Web Administrator provides a browser-based user interface for router management.
When a user interacts with the LAN Web Administration interface, the user interface elements trigger actions that generate HTTP requests to interact with the local server. This process contains an uninitialized variable. Due to the uninitialized variable, an unauthenticated attacker could perform memory corruption on the router via specially crafted HTTP requests to hijack execution or inject malicious payloads.
If EasyVPN is enabled, the flaw could be remotely exploited through the VPN interface.
Impact
A remote, unathenticated attacker can exploit this vulnerability through accessing the LAN interface – or potentially the WAN interface- if EasyVPN is enabled or remote administration over the internet is activated. If a remote, unauthenticated attacker leverages this vulnerability, they can execute arbitrary code on the router (RCE) and gain full control of the device. A successful attack could result in a attacker gaining root access to a Vigor router, installing backdoors, reconfiguring network settings, and blocking traffic. An attacker may also pivot for lateral movement through intercepting internal communications and bypassing VPNs.
Solution
The DrayTek Security team has developed a series of patches to remediate the vulnerability, and all users of Vigor routers should upgrade to the latest version ASAP. The patches can be found on the resources page of the DrayTek webpage, and the security advisory can be found within the about section of the DrayTek webpage. Consult either the CVE listing or the advisory page for a full list of affected products.
Acknowledgements
Thanks to the reporter, Pierre-Yves (maes.challenge@gmail.com).This document was written by Ayushi Kriplani.

Overview
A major npm supply chain compromise was disclosed by the software supply chain security company Socket on September 15, 2025. At the time of writing, over 500 packages have been affected, and the number continues to grow. The attack involves a self-propagating malware variant dubbed Shai-Hulud, which spreads via credential theft and automated package publishing. The campaign escalated rapidly, including compromise of packages published by CrowdStrike.
This notice aims to raise awareness about growing risks in software development and packaging practices within the npm ecosystem that can lead to large-scale compromises. The incident highlights ongoing exploitation of known attack vectors, including credential theft, package impersonation, and automated propagation, all of which undermine the integrity of widely used package ecosystems like npm.
Description
npm is the default package manager for Node.js. It provides a global registry and command-line interface that helps developers install, manage, and share JavaScript packages and dependencies. It simplifies the integration of third-party code through the use of the package.json and package-lock.json files, which ensure dependency consistency and reproducibility.
The compromise likely began with a credential harvesting campaign, where a postinstall script led to the execution of a malicious bundle.js file. postinstall scripts are an npm feature that allow code execution following package installation. The bundle.js script scanned the target environment for exposed secrets in code and configuration files. The bundle.js file downloaded and used TruffleHog, typically used for legitimate secret scanning, to harvest credentials stored as environment variables or secrets used by continuous integration and continuous delivery (CI/CD) platforms such as GitHub Actions, GitLab CI, Jenkins, and others. The malware self-propagated using the stolen credentials to publish itself to other repositories and package registries, effectively turning compromised environments into new infection vectors.
A key mechanism of propagation was the automatic “trojanization” of CI/CD tools, a known attack vector with wide-reaching implications across ecosystems. GitHub Actions was one such capability that was abused, previously seen in attacks like the Nx package compromise in August of 2025. Another known contributor to the attack was the abuse of the postinstall script capability in npm. This technique has been exploited in previous incidents, such as the event-stream attack in 2018. These vulnerable software development and design methods in npm have been duly abused in this combined attack.
Impact
At the time of publication, over 500 packages have been confirmed to be compromised by the Shai-Hulud malware. Socket is maintaining a live list of affected packages on their website. Organizations using CrowdStrike products should also inspect their npm package dependencies, as the npm account used to manage and publish packages for CrowdStrike was allegedly compromised.
Solution
GitHub has released a public advisory detailing additional security changes being made to their package systems. CISA has also released a security advisory.
For npm Users

Audit and replace compromised packages: Remove any affected package versions and replace them with known safe versions.
Lock dependencies: Use package-lock.json or npm i –package-lock-only to lock resolved dependency versions without executing install scripts, allowing safe auditing. For packages that will be redistributed, locally or otherwise, use npm shrinkwrap to lock all direct and transitive dependency versions for reproducible installs.
Use internal mirrors: Set up an internal npm registry using tools like Verdaccio or Artifactory, and centrally approve packages before allowing internal use.
Disable postinstall scripts: Use npm install –ignore-scripts where feasible to prevent malicious code execution during package installation.

For npm Developers

Rotate all exposed credentials: Immediately revoke and rotate any CI/CD-related tokens or secrets (GitHub, GitLab, Jenkins, etc.) that may have been exposed.
Enforce least privilege: Use scoped tokens with minimal permissions, and isolate build environments to ensure untrusted code never has access to publishing credentials, especially when using GitHub Actions or similar CI/CD platforms.

Acknowledgements
This document was written by Christopher Cullen.

Overview
Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. This important republishing instruction was missing from the Desktop edition release notes, but it was included in the release notes for the recently patched Lectora Online (July 20, 2025). The CERT® Coordination Center is publishing this vulnerability note to amplify awareness as the Lectora software user base includes high-profile clients such as government agencies and large enterprises.
Description
The Lectora platform is used to create and publish interactive e-learning courses by ELB Learning. Lectora Inspire and Lectora Publisher are Desktop versions of the e-learning software, and Lectora Online is a cloud-based version.
Affected Versions

Lectora Inspire and Lectora Publisher desktop editions versions 21.0–21.3
Lectora Online versions 7.1.6 and older

Impact
Content published with Seamless Play Publish (SPP) enabled and Web Accessibility settings disabled in the affected versions can allow JavaScript injection via crafted URL parameters. Exploitation under this scenario could result in client-side script execution (e.g., alert or redirect), which poses a risk of session hijacking or user redirection.
Solution
The vulnerability is patched in Lectora Desktop (Publisher and Inspire version 21.4, released October 25, 2022) and Lectora Online (version 7.1.7, deployed July 20, 2025). To fully implement the solution:

For Lectora Desktop customers: Please download the version 21.4 patch or a later update from portal.elblearning.com. You must then republish any courses that were created using older software versions.
For Lectora Online customers: The update to version 7.1.7 was automatically applied on July 20, 2025. You must republish any courses that were created using older software versions.

Acknowledgements
Thanks to the reporter Mohammad Jassim for reporting this vulnerability. This document was written by Laurie Tyzenhaus.