ASUS routers compromised, Adidas victim of data breach, OneDrive flaw grants full cloud access, WordPress sites at risk...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Critical security flaw could leave over 100,000 WordPress sites at risk
Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.
TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favourite products for later and share the lists on social media platforms. “The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication,” Patchstack researcher John Castro said. Tracked as CVE-2025-47577, the vulnerability carries a CVSS score of 10.0. It affects all versions of the plugin below and including 2.9.2 released on November 29, 2024. There is currently no patch available.
The website security company said the issue lies in a function named “tinvwl_upload_file_wc_fields_factory,” which, in turn, uses another native WordPress function “wp_handle_upload” to perform the validation, but sets the override parameters “test_form” and “test_type” to “false”. The “test_type” override is used to check whether the Multipurpose Internet Mail Extension (MIME) type of the file is as expected, while “test_form” is to check to verify if the $_POST[‘action’] parameter is as expected. In setting “test_type” to false, it allows the file type validation to be effectively bypassed, thereby allowing any file type to be uploaded. That having said, the vulnerable function is accessible via tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, which are only available when the WC Fields Factory plugin is active. This also means that successful exploitation is only possible if the WC Fields Factory plugin is installed and activated on the WordPress site and the integration is enabled on the TI WooCommerce Wishlist plugin. In a hypothetical attack scenario, a threat actor could upload a malicious PHP file and achieve remote code execution (RCE) by directly accessing the uploaded file. Plugin developers are recommended to remove or avoid setting ‘test_type’ => false when using wp_handle_upload(). In the absence of a patch, users of the plugin are urged to deactivate and delete it from their sites.
Microsoft OneDrive File Picker Flaw Grants Apps Full Cloud Access — Even When Uploading Just One File
Cybersecurity researchers have discovered a security flaw in Microsoft’s OneDrive File Picker that, if successfully exploited, could allow websites to access a user’s entire cloud storage content, as opposed to just the files selected for upload via the tool. “This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted,” the Oasis Research Team said in a report. “This flaw could have severe consequences, including customer data leakage and violation of compliance regulations”.
It’s assessed that several apps are affected, such as ChatGPT, Slack, Trello, and ClickUp, given their integration with Microsoft’s cloud service. The problem, Oasis said, is the result of excessive permissions requested by the OneDrive File Picker, which seeks read access to the entire drive, even in cases only a single file is uploaded due to the absence of fine-grained OAuth scopes for OneDrive.
Compounding matters further, the consent prompt users are presented with prior to a file upload is vague and does not adequately convey the level of access being granted, thereby exposing users to unexpected security risks. “The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option,” Oasis noted.
The New York-based security company further pointed out that the OAuth tokens used to authorize access are often stored insecurely, adding they are saved in the browser’s session storage in plaintext format. Another potential pitfall is that the authorization workflows may also involve issuing a refresh token, granting the application ongoing access to user data by allowing it to get new access tokens without having to ask the user to log in again when the current token expires. Following responsible disclosure, Microsoft has acknowledged the problem, although there is no fix yet. In the interim, it’s worth considering temporarily removing the option to upload files using OneDrive through OAuth until a secure alternative is in place. Alternately, it’s advised to avoid using refresh tokens and store access tokens in a secure manner and get rid of them when no longer needed.
Cyber Attacks
Adidas warns of data breach after customer service provider hack
German sportswear giant Adidas disclosed a data breach after attackers hacked a customer service provider and stole some customers’ data.
“Adidas recently became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider,” the company said on Friday. “We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts”. Adidas added that the stolen information did not include the affected customers’ payment-related information or passwords, as the threat actors behind the breach only gained access to contact.
The company has also notified the relevant authorities regarding this security incident and will alert those affected by the data breach. “Adidas is in the process of informing potentially affected consumers as well as appropriate data protection and law enforcement authorities consistent with applicable law,” it added. “We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident”.
Adidas has yet to reveal further details regarding this incident, including the name of the impacted service provider, when the incident was detected, how many individuals were affected, and if its own network was compromised during the attack. Earlier this month, Adidas disclosed data breaches impacting customers in Turkey and South Korea who contacted the company’s customer service center in 2024 or earlier. The stolen information in these breaches includes names, email addresses, phone numbers, birthdates, and addresses.
In June 2018, Adidas disclosed another breach after unknown attackers stole contact information, usernames, and encrypted passwords of “a few million” shoppers who used the sportswear company’s U.S. website.
Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
Over 9,000 ASUS routers are compromised by a novel botnet dubbed “AyySSHush” that was also observed targeting SOHO routers from Cisco, D-Link, and Linksys. The campaign was discovered by GreyNoise security researchers in mid-March 2025, who reports that it carries the hallmarks of a nation-state threat actor, though no concrete attributions were made.
The threat monitoring firm reports that the attacks combine brute-forcing login credentials, bypassing authentication, and exploiting older vulnerabilities to compromise ASUS routers, including the RT-AC3100, RT-AC3200, and RT-AX55 models. Specifically, the attackers exploit an old command injection flaw tracked as CVE-2023-39780 to add their own SSH public key and enable the SSH daemon to listen on the non-standard TCP port 53282.
These modifications allow the threat actors to retain backdoor access to the device even between reboots and firmware updates. “Because this key is added using the official ASUS features, this config change persisted across firmware upgrades,” explains another related report by GreyNoise. “If you’ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor”. The attack is particularly stealthy, involving no malware, while the attackers also turn off logging and Trend Micro’s AiProtection to evade detection. Characteristically, GreyNoise reports logging just 30 malicious requests associated with this campaign over the past three months, though 9,000 ASUS routers have been infected. ASUS has released security updates that address CVE-2023-39780 for the impacted routers, though the exact time of availability varies per model. Users are recommended to upgrade their firmware as soon as possible and look for suspicious files and the addition of the attacker’s SSH key on the ‘authorized_keys’ file. Also, GreyNoise lists four IP addresses associated with this activity, which should be added to a block list.
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
If a compromise is suspected, a factory reset is recommended to clean the router beyond doubt and then reconfigure it from scratch using a strong password.
In Other News...
Microsoft Authenticator now warns to export passwords before July cutoff
The Microsoft Authenticator app is now issuing notifications warning that the password autofill feature is being deprecated in July, suggesting users move to Microsoft Edge instead.
Microsoft Authenticator is a free mobile authenticator app that provides secure sign-in for mobile accounts using multi-factor authentication (MFA) methods like time-based one-time passwords (TOTPs), push notifications, biometrics-based confirmations, and password-less logins to Microsoft accounts.
The Microsoft Authenticator app began issuing notifications about the upcoming changes, showing a fullscreen banner warning to export saved passwords before July 1 or switch to Microsoft Edge. “Autofill via Authenticator ends in July 2025,” reads the Microsoft Authenticator notification. “You can export your saved info (passwords only) from Authenticator until Autofill ends. Access your passwords and addresses via Microsoft Edge at any time. To keep autofilling your info, turn on Edge or another provider”. At the bottom of the notification is a button labelled “Turn on Edge,” which, when clicked in iOS, brings you to the AutoFill & Passwords setting screen, where you can enable Edge as a password autofill provider.
The notification also links to a Microsoft support page explaining that saved passwords are synced with your Microsoft Account, making them accessible to Microsoft Edge once the feature is deprecated. “Your saved passwords (but not your generated password history) and addresses are securely synced to your Microsoft account, and you can continue to access them and enjoy seamless autofill functionality with Microsoft Edge, a secure and user-friendly AI-powered web browser that offers features such as Microsoft Defender SmartScreen, Password Monitor, and InPrivate search,” reads the support bulletin. “To continue to use generated passwords, save them from Generator history (accessed via or from the Password tab) into your saved passwords”. The support page also offers a timeline of how the deprecation will proceed:
- Starting June 2025, you will no longer be able to save new passwords in Authenticator.
- During July 2025, you will not be able to use autofill with Authenticator.
- From August 2025, your saved passwords will no longer be accessible in Authenticator.
For users who do not wish to use Microsoft Edge, you can go into the Microsoft Authenticator settings and export the passwords into a CSV file so they can be imported into a different program.
251 Amazon-Hosted IPs Used in Exploit Scan Targeting ColdFusion, Struts, and Elasticsearch
Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct “exposure points” earlier this month. The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon. “These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity,” the threat intelligence firm said. “All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation”. The scanning efforts have been found to have targeted a wide array of technologies from Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic, among others. The opportunistic operation ranged from exploitation attempts for known CVEs to probes for misconfigurations and other weak points in web infrastructure, indicating that the threat actors were looking indiscriminately for any susceptible system
- Adobe ColdFusion — CVE-2018-15961 (Remote code execution)
- Apache Struts — CVE-2017-5638 (OGNL injection)
- Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
- Bash — CVE-2014-6271 (Shellshock)
- Elasticsearch — CVE-2015-1427 (Groovy sandbox bypass and remote code execution)
- CGI script scanning
- Environment variable exposure
- Git config crawlers
- Shell upload checks, and
- WordPress author checks