AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 11th April 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: CISA, Microsoft, Patchstack, and Kaspersky have confirmed the active exploitation of multiple critical vulnerabilities across widely used platforms, including Microsoft Windows, Gladinet CentreStack, the Linux Kernel (and subsequently Google Android), ESET products, and a popular WordPress plugin. These attacks have enabled threat actors to escalate privileges, bypass authentication, execute remote code, deploy ransomware, and install malware. CISA also added the active exploitations of CrushFTP and Ivanti which we reported on last week.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
CISA and Microsoft have confirmed active exploitation of a ‘use-after-free’ vulnerability in the Common Log File System (CLFS) of Microsoft Windows. Threat actors have leveraged the flaw to escalate privileges to system level, deploying ransomware in observed attacks.
CISA has reported the active exploitation of hard-coded cryptographic keys in Gladinet’s CentreStack software. Attackers have used the flaw to forge malicious payloads, enabling remote execution of arbitrary code on vulnerable servers.
Two vulnerabilities in the Linux Kernel are under active exploitation, according to CISA. The flaws, which also affect Google’s Android OS, have been used to exfiltrate sensitive information, escalate privileges, and execute remote code in targeted attacks.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Security researchers at Kaspersky have observed the active exploitation of a DLL search order hijacking vulnerability affecting multiple ESET products. The advanced persistent threat (APT) group ToddyCat has been identified as the actor behind these attacks, using the flaw to silently install malware on compromised devices since at least early 2024.
An authentication bypass vulnerability in the OttoKit plugin (formerly SureTriggers) for WordPress is being actively exploited following its public disclosure. Attackers have been observed creating administrative accounts and taking control of vulnerable websites.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
