AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 9th May 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: CISA and other security researchers have flagged a surge in active exploitations targeting widely used platforms and frameworks, ranging from enterprise backup systems and IoT devices to CMS plugins and VPN appliances. With several flaws now weaponised via public proof-of-concept code, organisations are urged to prioritise patching and apply mitigations to defend against these escalating threats.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
CISA has confirmed the active exploitation of a critical path traversal vulnerability in Commvault’s Command Center, shortly after its public disclosure by watchTowr Labs. Threat actors have been observed uploading ZIP files that, once decompressed, resulted in arbitrary code execution on vulnerable servers.
CISA has also reported exploitation of a flaw in the Yii PHP framework, which is used by Craft CMS. This improper path protection vulnerability allows attackers to bypass restrictions and access unauthorized functions and resources.
A missing authentication vulnerability in Langflow is being actively exploited. The flaw, described as “easily exploitable”, has enabled attackers to take over unpatched servers. The SANS Technology Institute confirmed exploit activity via honeypot detections.
First disclosed by Facebook in March 2025, an out-of-bounds write vulnerability in the FreeType font rendering library is now under active exploitation. The flaw enables code execution, and Google has issued patches as part of its May 2025 Android security updates.
CISA reports ongoing exploitation of two command injection vulnerabilities in GeoVision IoT devices, originally flagged by Akamai in April. As the devices are now end-of-life and unpatched, compromised devices are being leveraged in Mirai botnet-driven DDoS attacks.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Wordfence has identified a second actively exploited vulnerability in the OttoKit WordPress plugin, which has over 100,000 active installations. Threat actors are using the flaw to gain unauthorized access and create admin accounts on affected sites.
Arctic Wolf has observed active exploitation of a high-severity directory traversal flaw in Samsung’s MagicINFO CMS. Public PoC exploit code has enabled unauthenticated attackers to write arbitrary files and achieve remote code execution with system privileges.
Rapid7 reports that three vulnerabilities in SonicWall’s SMA100 VPN appliances are being actively chained together to achieve root-level remote code execution.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
