AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 21st February 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: A surge of critical vulnerabilities across major platforms leaves many organisations exposed to significant risks. Cisco devices face renewed exploitation, Palo Alto’s PAN-OS is actively targeted with a double threat and despite patches, Adobe’s ColdFusion (CVE-2023-29300) remains under attack by ransomware groups. Meanwhile the likes of PostgreSQL, SonicWall and Microsoft all also under the spotlight. Rounding us off, several popular web applications have also been targeted, including CraftCMS and ThinkPHP. This new wave of exploitations continues to highlight the need for a proactive approach to countering these daily and ongoing threats to both software and infrastructure targets.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
A critical flaw in the web admin UI of devices from Cisco that run the firm’s proprietary IOS XE – including Catalyst switches and routers – is undergoing renewed exploitation this week according to new data released by the Insikt Group. Already exploited at scale as a ‘0-day’ back in 2023, the vulnerability is seeing exploitation all over again. There is some slight uncertainty at time of publication as to whether fully patched instances remain vulnerable via some new workaround to the original fix for the issue.
CISA has reported ongoing active exploitation of a critical vulnerability in Palo Alto’s PAN-OS. The vendor themselves, along with security groups including GreyNoise and the Shadowserver Foundation, have confirmed that this is active with a capital “A.” Exploit code is publicly available, and with over 3,500 vulnerable instances reportedly exposed, the potential for further attacks remains high. Fortunately, Palo Alto has released patches as part of its regular monthly update cycle, providing a fix to shut the door on this particular exploit.
Originally reported by CISA as a KEV in back in early 2024, Microsoft have recently reported that a deserialization flaw in Adobe’s ColdFusion web development tool has undergone exploitation by a threat actor known as ‘Storm-0501’, thought to responsible for targeting vulnerable servers with a ransomware campaign. The exploit prediction system known as EPSS currently rates the exploit likelihood of this flaw as an almost eye watering 97%. Patches are available and Adobe have also provided additional guidance for locking down public-facing servers.
A critical flaw in the ‘SimpleHelp’ remote access solution is the stuff of a hacker’s dreams and attackers are not being shy about exploiting the vulnerability at scale. The underlying vulnerability is both trivial to exploit, as well as delivering a mouth-watering payload for attackers, in the form of credentials for managed server and client systems. Exploited in the wild as a ‘0-day’ before the vendor has a patch ready or was even aware of the flaw, Simple Help has produced extensive indicators of compromise as well as guidance for customers whose systems have already been compromised.
Just weeks after confirming the exploitation of multiple customer instances via an earlier vulnerability (CVE-2024-56145) from December 2024 onwards, CraftCMS is again in the spotlight. A second critical RCE flaw is similarly being exploited in the wild, CISA reports. Although there is no public statement from Craft at time of publication, the two exploitations are highly likely to be related and may be undergoing exploitation from the same threat actors as in that prior instance.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
PostgreSQL has a relatively solid track record for security, historically, but reports emerged this week of the exploitation – possibly stretching as far back as December of 2024 – of a critical SQL injection vulnerability. SQL injection comes in a number of ‘flavours’ of impact, but this one is about as bad as it gets, with attackers managing to achieve arbitrary shell command execution (and hence total compromise of targeted hosts). Patches are available for all maintained in-support release branches from 13.x up.
A 2022 vulnerability in the popular ‘ThinkPHP’ web application framework is seeing a sudden uplift in exploitation attempts over the last fortnight, according to threat intelligence firm Greynoise. The vulnerability allows attackers to perform ‘local file inclusion’ attacks via parameter manipulation, offering the holy grail of a trivial exploit alongside critical impact of remote code execution. Patches are available, but in a rare shot across the bows, Greynoise note that the flaw have gone unaddressed in many installations due to a lack of publicity around the flaw to date from CISA via its KEV process.
A familiar story unfolds as reports emerge of active exploitation targeting an SSL VPN authentication bypass flaw in SonicWall’s ‘Gen7’ firewall range. Shortly after the researchers behind the original vulnerability report publicly released their proof-of-concept (PoC), Arctic Wolf almost immediately observed real-world exploitation occurring. Attackers are leveraging session hijacking to gain unauthorized network access without requiring login credentials, making this vulnerability particularly dangerous. In response, SonicWall has released patches for affected devices, along with mitigation options for those unable to update immediately.
This week Microsoft confirmed that hackers had compromised the vendor’s ‘Power Pages’ solution, making it the second reported hack of the vendor’s cloud-based Power Platform. It follows earlier reports from Microsoft of the successful exploitation of its low-code ‘Power Apps’ offering in November last year (CVE-2024-49035). Being announced at the same time as a critical exploit in the vendor’s ‘Bing’ service, it appears to indicate either a growing targeting of the company’s cloud-based offerings by attackers, or an increased willingness by Microsoft to publicly release advisories of such exploitations.
Palo Alto have reported that attackers are actively exploiting an arbitrary file read vulnerability in the web management interface of firewalls running PAN-OS. It has been reported that attackers are able to read arbitrary files owned by the low-privilege “nobody” user and, whilst privilege-lowering protection mechanisms in the systems limit access to most critical files, attackers can still extract valuable data like configuration files, tokens, and keys on vulnerable devices. Attacks to date are reported to have chained this exploit with other vulnerabilities including those for CVE-2024-9474 and CVE-2025-0108.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
AppCheck now offers additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
