AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 14th February 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: With a large number of major vendors disclosing details of vulnerabilities alongside a bumper crop of security updates on this month’s ‘Patch Tuesday’, we’ve seen a whole lot of dirty laundry being aired. CISA have reported on ongoing and active exploitations of various platforms and services, including the Linux Kernel as well as solutions from Microsoft, Apple, Sophos, Trimble, Mitel, Zyxel, Paessler, and 7-Zip.
Independent researchers and other independent security organizations have added to this eclectic mix of reported exploitations with reports of attackers targeting further vulnerabilities in a plethora of products from the likes of Veeam, Afterlogic, CyberPower, Lansweeper and Lenovo.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
An out-of-bounds write to critical memory segments is confirmed by CISA to be undergoing exploitation in the wild. The near-ubiquitous presence of the Linux kernel in everything from desktop and server operating systems through to mobile phones and networking hardware means that a potentially huge array of devices could potentially be at risk of targeted attack in coming days if running a vulnerable kernel version.
Dubbed ‘MonkerLink’ by the security researchers responsible for its discovery, a code injection flaw in Microsoft’s Outlook (part of the Microsoft Office ecosystem) has been noted by CISA as being actively exploited in the wild. This flaw allows attackers to obtain password hashes and execute arbitrary remote code on a victim’s machine by exploiting specially crafted hyperlinks within an email (bypassing Outlook’s Protected View).
A memory management flaw in products from another ‘big name’ vendor has been reported by CISA, and in this case, Apple has themselves confirmed that the flaw is being actively exploited in in the wild. A memory issue present in almost all of the vendor’s proprietary operating systems has been identified as being exploited for attackers in instances of malicious privilege escalation.
A SQL injection flaw in the ‘Cyberoam’ OS used in some legacy Sophos firewall appliances was revealed by the vendor themselves to have undergone active exploitation by state-sponsored attackers attributed to China. The activity is notable for being linked to highly skilled adversaries who reputedly conducted a multi-year campaign and leveraged a number of vulnerabilities in different hardware, software and services in pervasive APT exploit chains.
A deserialization vulnerability in Trimble’s ‘Cityworks’ solution has been reported to be exploited by attackers this week. Attackers have been observed leveraging the flaw to drop a Rust-based script that installs a remote access trojan (RAT) for access persistence and further compromise.
CISA has reported on the active exploitation of a buffer overflow vulnerability in the HTTP/S Bookmarks feature of Sophos XG Firewalls. Successful exploitation has seen attackers performing remote code execution and completely compromising targeted devices.
CISA has reported active exploitation of an argument injection vulnerability in Mitel SIP Phones. Attackers have been exploiting this flaw to, again, execute arbitrary commands, leading to complete compromise.
CISA has reported active exploitation of an OS command injection vulnerability in Paessler PRTG Network Monitor. Successful exploitation has led to remote code execution on the devices of victims.
CISA has also reported active exploitation of a local file inclusion vulnerability in Paessler PRTG Network Monitor. Attackers have been observed leveraging this vulnerability to create administrative user accounts.
CISA has reported active exploitation of two OS command injection vulnerabilities in Zyxel DSL legacy routers. Successful exploitation has led to attackers executing arbitrary commands on the targeted devices.
CISA has reported active exploitation of an information disclosure vulnerability in Microsoft’s .NET Framework. The exploitation has allowed hackers to leverage the vulnerability to execute remote code.
CISA has reported active exploitation of a Mark-of-the-Web bypass vulnerability in 7-Zip. This vulnerability has been leveraged to download malware to the targeted devices, and allowed attackers to execute arbitrary code.
CISA has reported active exploitation of a process control vulnerability in Dante Discovery, with attackers observed to execute arbitrary code in DLL side-loading attacks.
CISA has reported active exploitation of an OS command injection vulnerability in Zyxel ZyWALL/USG Series devices. The vulnerability has permitted attackers in reported attack instances to remotely execute OS commands.
CISA and Microsoft have reported active exploitation of a buffer overflow vulnerability in the Ancillary Function Driver for WinSock in Microsoft Windows. The exploitation has allowed attackers to escalate privileges to system level.
CISA and Microsoft have reported active exploitation of a link-following vulnerability (or ‘symlink’ attack) in Microsoft Windows. Exploitation has been used by attackers to delete critical system files, causing denial of service via loss of system integrity.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Veeam’s Service Provider Console (VSPC) has been confirmed to have been the target of a successful ransomware campaign running since at least early December 2024. A code injection flaw in the backup management software is being exploited for remote code execution, with attackers taking advantage to encrypt organisation data and to hold it to ransom for financial payout. The vulnerability is believed to potentially have existed in all versions of the software since day zero. With Veeam solutions often being used to protect vast archives of corporate data, successful exploit of the vulnerability leaves victims in a highly exposed position. A patch has now been released, and customers are advised to upgrade as soon as possible.
Apple’s second zero-day to be reportedly undergoing exploitation this year is targeting devices running vulnerable versions of the vendor’s iOS and iPadOS mobile operating systems. Technical details are spares (as is typical from Apple) but exploitation appears to allow physical access to ‘locked’ devices via USB. Apple released an emergency update to fix the flaw. Apple reports that the exploitation was “targeted” and the reporting discovered is known to offer security services to journalists and other potentially politically-targeted individuals. Claimed exploit code is openly for sale via bitcoin at time of publication to any would-be ‘copycat’ attackers.
Active exploitation of a path traversal vulnerability in Afterlogic products has been reported, with hackers exploiting the flaw to retrieve credentials and gain administrative access.
Active exploitation of a SQL injection vulnerability in Lansweeper has been reported although no further details are currently available at time of publication.
Active exploitation of a buffer overflow vulnerability in Lenovo’s HardwareScanPlugin has been reported. The instances of successful exploitation have seen attackers able to execute arbitrary (malicoius) code on customer systems with elevated privileges.
Active exploitation of an unprotected API endpoint vulnerability in CyberPower PowerPanel Enterprise has been reported. Attackers have been able to retrieve credentials for managed devices, which has led to further unauthorized access to downstream managed systems in a cascade of compromised systems.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
AppCheck now offers additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
