Exploitation of Sneeit WordPress RCE, ICTBroadcast flaw ongoing

Threat actors have been actively exploiting a critical remote code execution vulnerability in the Sneeit Framework plugin for WordPress, tracked as CVE-2025-6389, and a critical ICTBroadcast flaw, tracked as CVE-2025-2611, in separate attacks, according to The Hacker News.

More than 131,000 attempted intrusions against the Sneeit Framework bug which could be harnessed to facilitate illicit admin user insertion and eventual site takeovers have been averted since Nov. 24, reported Wordfence. Attacks, which mostly originated from seven different IP addresses, involved the use of malicious PHP files with directory scanning, file reading, editing, and deletion, and ZIP file extraction capabilities.

Another report from VulnCheck noted attacks leveraging the ICTBroadcast weakness to enable Frost distributed denial-of-service botnet delivery to its honeypot systems. "The operator is not carpet bombing the internet with exploits. 'Frost' checks the target first and only proceeds with exploitation when it sees the specific indicators it expects," said VulnCheck's Jacob Baines.