Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

Dec. 21, 2025, 6:50 p.m.

Description

A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited. The flaw allows unauthenticated attackers to execute code on the server, potentially creating malicious admin accounts or injecting backdoors. Wordfence has blocked over 131,000 attack attempts since November 24, 2025. Concurrently, a separate attack exploiting an ICTBroadcast vulnerability (CVE-2025-2611) is being used to spread the 'Frost' DDoS botnet. This botnet combines DDoS capabilities with spreader logic, including exploits for fifteen CVEs. The attacks appear to be part of a small, targeted operation, given the limited number of vulnerable internet-exposed systems.

External References

https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
https://otx.alienvault.com/pulse/69381affff384c7c0e973a8e
Tags
ddos
botnet
wordpress
vulnerability exploitation
remote code execution
CVE-2025-1610
CVE-2025-2611
CVE-2025-6389
2025-12-09
frost
ictbroadcast
sneeit framework
trojan.karagany
xfrost

Date

  • Created: Dec. 9, 2025, 12:50 p.m.
  • Published: Dec. 9, 2025, 12:50 p.m.
  • Modified: Dec. 21, 2025, 6:50 p.m.

Indicators

  • 185.125.50.59
  • 196.251.100.39
  • 114.10.116.226
  • 194.104.147.192
  • 116.234.108.143
  • 182.8.226.51
Download all indicators here!

Attack Patterns

  • Trojan.Karagany - S0094
  • xFrost

Additional Informations

  • racoonlab.top

Linked vulnerabilities

CVE-2025-1610

6.3
    LB-LINK AC1900 Router
Published: February 24, 2025

CVE-2025-2611

9.3
    Ictbroadcast
  • Ictbroadcast
Published: August 5, 2025

CVE-2025-6389

9.8
    sneeit_framework
Published: November 25, 2025

CVE-2025-66516

10.0
    Apache
  • Tika
Published: December 4, 2025