CVE-2025-6389: Sneeit RCE Exploited as Frost Botnet Uses CVE-2025-2611

By /
wordpress plugin

A new wave of cyberattacks is hitting WordPress websites and ICTBroadcast servers after two major security flaws were publicly exposed. According to fresh data from Wordfence and VulnCheck, attackers are already exploiting these vulnerabilities to gain full control of systems, plant backdoors, and launch DDoS attacks using a fast-spreading botnet called Frost.

These incidents highlight once again how quickly threat actors move when critical vulnerabilities are disclosed often within hours. Website owners and IT teams are being urged to update immediately before attackers get in.

Wordfence has confirmed active exploitation of a severe remote code execution (RCE) flaw in the Sneeit Framework WordPress plugin. The vulnerability, tracked as CVE-2025-6389, carries a CVSS score of 9.8, marking it as highly critical.

The flaw impacts all versions up to 8.3, which includes more than 1,700 active installations. A security patch was released on August 5, 2025, as part of version 8.4. Any website still running older versions remains exposed.

The RCE flaw stems from insecure handling of user input in the function sneeit_articles_pagination_callback(). This function passes user input directly into call_user_func(), which allows anyone — even unauthenticated visitors — to trigger any PHP function on the server.

In simple terms, this weakness lets attackers run dangerous functions such as:

  • wp_insert_user() → to create a new admin account

  • file-write functions → to upload malicious PHP backdoors

  • system commands → to take over the server

Once these criminal users get admin access, they can modify the website, inject malware, redirect visitors to malicious sites, or steal data.

Wordfence reports that attackers began targeting this vulnerability on November 24, 2025, immediately after its disclosure. Since then, more than 131,000 attack attempts have been blocked. In the last 24 hours alone, 15,381 attack attempts were recorded — a sharp rise that signals automated exploitation.

Cybercriminals are sending crafted HTTP requests to

 /wp-admin/admin-ajax.php
 

These requests attempt to create admin accounts with names such as “arudikadis” and upload malicious PHP files like tijtewmg.php, which may grant persistent backdoor access.

Attacks have been traced to multiple IP addresses, including:

  • 185.125.50[.]59

  • 182.8.226[.]51

  • 89.187.175[.]80

  • 194.104.147[.]192

  • 196.251.100[.]39

  • 114.10.116[.]226

  • 116.234.108[.]143

Wordfence analysts also discovered dangerous PHP files uploaded during the attacks. Filenames include:

  • xL.php

  • Canonical.php

  • .a.php

  • simple.php

These malicious files include functions to:

  • scan directories

  • read, modify, or delete files

  • extract ZIP archives

  • bypass file restrictions

One particular shell, xL.php, is downloaded through a file named up_sf.php, which exploits the plugin flaw. It also downloads an .htaccess file from racoonlab[.]top to override Apache security rules and allow execution of dangerous file types.

This extra step helps attackers run scripts even in directories where WordPress normally blocks them.

patch now

While WordPress site owners are dealing with RCE attacks, another threat is emerging on ICTBroadcast servers. Security researchers at VulnCheck have observed targeted exploitation of CVE-2025-2611, a critical flaw with a CVSS score of 9.3.

This vulnerability is being used to deliver a new botnet malware named Frost.

Attackers begin by exploiting the ICTBroadcast flaw to deliver a shell script stager, which downloads several versions of a malware binary named frost — each compiled for different architectures.

After downloading, the malware:

  1. Executes each architecture-specific binary

  2. Deletes all downloaded files

  3. Deletes the initial script to erase forensic evidence

The primary purpose of Frost is to launch distributed denial-of-service (DDoS) attacks. However, it also contains spreader logic that includes 14 exploits for 15 different CVEs, allowing it to move across vulnerable servers with precision.

Unlike older botnets that blindly scan the whole internet, Frost is more intelligent. It only launches exploitation when specific indicators appear in server responses.

For example, it exploits CVE-2025-1610 only if a server first sends:

 Set-Cookie: user=(null)

and later:

 Set-Cookie: user=admin

If these signs are missing, Frost stays silent, reducing noise and avoiding detection.

The attacks originate from 87.121.84[.]52, and researchers believe this is a small, targeted operation rather than a massive botnet campaign. Fewer than 10,000 exposed systems are believed to be vulnerable.

Interestingly, the ICTBroadcast exploit used to deliver Frost is not included inside the Frost binary, which suggests the operators may have additional, undisclosed tools.

For WordPress sites

  • Update Sneeit Framework to version 8.4 or later

  • Remove unknown admin accounts

  • Scan for unknown PHP files

  • Check .htaccess files for suspicious rules

  • Enable a WordPress firewall such as Wordfence

For ICTBroadcast systems

  • Patch CVE-2025-2611 immediately

  • Check servers for unknown binaries named “frost”

  • Review logs for suspicious shell scripts

  • Isolate infected systems before reimaging

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : Apache Tika Hit by Critical XXE Bug CVE-2025-66516

1 thought on “CVE-2025-6389: Sneeit RCE Exploited as Frost Botnet Uses CVE-2025-2611”

  1. Pingback: Microsoft Patch Tuesday: 56 Bugs Fixed, Including Two Zero-Days

Comments are closed.

Scroll to Top