Cybersecurity researchers are warning of active exploitation of a critical remote code execution vulnerability in the Sneeit Framework WordPress plugin, alongside a separate flaw in ICTBroadcast that is being used to deploy the Frost DDoS botnet. These vulnerabilities pose significant risks to websites and online infrastructure.

Key Takeaways

• A severe RCE vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited.

• This flaw allows unauthenticated attackers to execute arbitrary code, potentially leading to backdoor installation or the creation of malicious admin accounts.

• A separate critical vulnerability (CVE-2025-2611) in ICTBroadcast is being leveraged to distribute the Frost DDoS botnet.

• The Frost botnet combines DDoS capabilities with sophisticated spreading logic, targeting specific systems.

Sneeit WordPress Plugin Under Attack

A critical security flaw, identified as CVE-2025-6389 with a CVSS score of 9.8, has been discovered in the Sneeit Framework plugin for WordPress. This vulnerability affects all versions prior to 8.4, which was released on August 5, 2025, to patch the issue. The plugin, with over 1,700 active installations, is susceptible due to a function that improperly handles user input, allowing unauthenticated attackers to execute arbitrary PHP functions on the server. This can be exploited to inject backdoors or create new administrative user accounts, effectively giving attackers full control of a compromised website. Attackers can then redirect visitors to malicious sites, distribute malware, or engage in spam activities.

Exploitation of this vulnerability began on November 24, 2025, the same day it was publicly disclosed. Security firm Wordfence reported blocking over 131,000 attack attempts, with a significant surge in the past 24 hours. Attackers are sending specially crafted HTTP requests to the "/wp-admin/admin-ajax.php" endpoint to create malicious admin accounts and upload PHP files, such as "tijtewmg.php," which likely provide backdoor access. The attacks have been traced to several IP addresses, including 185.125.50[.]59 and 182.8.226[.]51. The compromised systems have also been found to host malicious PHP files like "xL.php" and ".a.php," which possess capabilities to scan directories, manipulate files, and extract ZIP archives. The "xL.php" shell is downloaded by another PHP file, "up_sf.php," which also fetches an ".htaccess" file from an external server to grant access to files on Apache servers, even when other ".htaccess" files might prohibit it.

ICTBroadcast Flaw Fuels Frost Botnet

In parallel, a critical vulnerability in ICTBroadcast, tracked as CVE-2025-2611 with a CVSS score of 9.3, is being exploited to deploy the Frost DDoS botnet. Researchers observed attacks targeting honeypot systems, which downloaded a shell script stager. This stager then downloads multiple architecture-specific versions of a binary named "frost." After execution, the payloads and the stager are deleted to erase traces of the activity. The ultimate goal of these attacks is to conduct distributed denial-of-service (DDoS) operations against targeted entities.

The "frost" binary is equipped with DDoS tools and spreader logic, incorporating fourteen exploits for fifteen CVEs. Notably, its spreading mechanism is selective; it checks targets for specific indicators before attempting exploitation. For instance, it only exploits CVE-2025-1610 after receiving a particular HTTP response pattern. Attacks are originating from the IP address 87.121.84[.]52. While various DDoS botnets have exploited similar vulnerabilities, the current Frost botnet activity appears to be a small, targeted operation, with fewer than 10,000 susceptible internet-exposed systems. This limited scope suggests the operator is a relatively minor player, and the absence of the ICTBroadcast exploit within the "frost" binary itself indicates the operator possesses additional, undisclosed capabilities.

Sources

• Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks, The Hacker News.