AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 14th March 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
Patch Tuesday has come and gone, and – as is tradition – Microsoft once again takes centre stage. With six newly reported flaws under active exploitation, including privilege escalation (CVE-2025-24983) and information disclosure (CVE-2025-24984), attackers have certainly been busy. But they’re not alone, as CISA’s latest additions reveal that VMware, Ivanti, and Advantive have also found themselves in the firing line.
Multiple VMware platforms are being actively exploited via a trio of vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), allowing sandbox escapes and arbitrary code execution – bad news for virtualised environments. Meanwhile, Ivanti Endpoint Manager is seeing active exploitation of path traversal flaws (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) that could lead to credential theft, and Advantive’s VeraCore is being targeted with SQL injection and unrestricted file upload attacks (CVE-2024-57968, CVE-2025-25181). With such a broad spread of active threats, it’s a timely reminder that staying ahead of attackers means keeping a watchful eye beyond just the biggest names in software.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
CISA has reported the active exploitation of three vulnerabilities in VMware’s ESXi, Workstation, Cloud Foundation, Fusion and Telco cloud products. Successful exploitation has led to attackers executing arbitrary code, escaping sandboxes and disclosing information.
CISA has reported the active exploitation of three path traversal vulnerabilities in Ivanti’s Endpoint Manager. These exploitations have allowed hackers to leverage account credentials for relay attacks and compromising EPM clients.
CISA has reported the active exploitation of two vulnerabilities in VeraCore from Advantive, with attackers observed uploading unrestricted files and executing arbitrary SQL commands.
CISA and Microsoft have reported active exploitation of an improper neutralization vulnerability in the Microsoft Management Console of Microsoft Windows. Successful exploitation has led to attackers bypassing security features.
CISA and Microsoft have reported active exploitation of a heap-based buffer overflow vulnerability in the Microsoft Windows NTFS. The exploitation has allowed attackers to locally execute arbitrary commands on vulnerable systems.
CISA and Microsoft have reported active exploitation of an integer overflow vulnerability in the Windows Fast FAT Driver in Microsoft Windows. Exploitation has been used by attackers to locally execute arbitrary commands on vulnerable systems.
CISA and Microsoft have reported active exploitation of an out-of-bounds read vulnerability in Microsoft Windows NTFS. The exploitation has allowed hackers to leverage the vulnerability to disclose information including the contents of memory.
CISA and Microsoft have reported active exploitation of an use-after-free vulnerability in the Win32 Kernel Subsystem of Microsoft Windows. The exploitation has allowed attackers to escalate privileges to system level.
CISA and Microsoft have reported active exploitation of an information disclosure vulnerability in Microsoft Windows NTFS. Exploitation has been reported with attackers employing malicious USB drives to disclose information including the contents of memory.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Active exploitation of a link-following vulnerability (or ‘symlink’ attack) in Microsoft Windows Authentication has been reported with hackers exploiting the flaw to escalate privileges to system level.
Active exploitation of an improper access control vulnerability in Microsoft Windows File Explorer has been reported with attackers successfully exploiting the flaw to gain administrative privileges.
Active exploitation of a memory corruption vulnerability in the Equation Editor used within Microsoft Office applications has been reported that has allowed hackers to remotely execute arbitrary code.
Active exploitation of an exposed dangerous method or function vulnerability in the Fast Transit System mobile application from HGS has been reported with hackers asking affected users to pay via crypto currency with the threat of releasing personal information.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
AppCheck now offers additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
