AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 28th February 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
It’s been a lively week for attempting to stay on top of all the new reports of known-exploited vulnerabilities. That’s thanks in no small part to the convergence of simultaneous releases of both a quarterly update on most-seen exploitations in telemetry data from security vendor Kaspersky, alongside the publication of a new advisory from the FBI and CISA warning about the activities of the Ghost (Cring) ransomware group. That latter group may not have previously have been on the radar of many in the cybersecurity space compared to some more common ‘household’ names. However, the activities reported include the ongoing compromise of systems from major vendors including Fortinet, Microsoft and Adobe. Alongside Kasperky’s recently published telemetry data indicating exploitation of solutions including Ivanti, Apache, Palo Alto and Linux, the reports demonstrate the breadth and flexibility of the exploit arsenals being deployed by organised threat actors.
The increased volume of known exploitation reports seems to reflect a continued growth in the sophistication of threat groups operating as ‘APT’s – groups willing to exercise patience and restraint in order to chain together multiple unrelated vulnerabilities undetected over time via gradual infiltration of organisations’ networks, in order to deliver a more crippling ultimate payload or attack.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
Earlier this week, security researchers at AhnLab Security intelligence Center (ASEC) reported that a weakness in MS Windows first reported last year has recently seen a 300% uptick in associated exploitation activity. Attribution for this renewed waves of attacks has been attributed by the researchers to a campaign distributing the ‘Rhadamanthys’ Infostealer malware. The exploitation that is ongoing sees the vulnerability being targeted as part of credential theft campaign targeting Windows environments.
An SSRF vulnerability originally reported by CISA to be undergoing exploitation in the wild as of 2021-11-03 by Ghost/Cring ransomware operators is back in the spotlight again this week. In a joint advisory with the FBI, CISA warned that old, unpatched systems remain targets and are continuing to undergo exploit, demonstrating that vulnerabilities remain viable attack vectors as long as threat actors have a use for them.
Already the subject of two widely-publicised waves of exploitation, a critical RCE flaw is back in the headlines again this week, reportedly undergoing a third wave of exploitation activity by attackers. The latest exploitations have culminated in the installation of “LockBit Black” ransomware across enterprise networks. Lockbit Black operates a Ransomware-as-a-Service (RaaS) model, with a cybercrime group selling the malicious software to criminal affiliates for a cut of the profits of successful exploitations.
The ‘Threat Campaigns Team’ at F5 reported this week that a JSON deserialization flaw in Spring Cloud Gateway – already the subject of a CISA advisory – is now the third most-common vulnerability that they have seen attempted exploitations of within the past month. The F5 threat intelligence is produced via analysis of data from Efflux, who maintain a distributed network of sensors from which they derive attack telemetry on ongoing exploitations across the globe.
A critical RCE flaw in optical network routers from Dasan was originally reported by CISA to be under widespread exploitation back in 2022: at that time, it was confirmed to be used in ransomware campaigns and targeted by five of the largest botnets (Hajime, Mettle, Mirai, Muhstik and Satori). However, according to security researchers at Akamai, the last month has seen a resurgence in targeted exploitation, this time by the ‘Aquabot 3’ botnet, a new Mirai variant that is built off the Mirai framework with the ultimate goal of distributed denial-of-service (DDoS) attacks.
It scarcely seems credible that a high-profile vulnerability from over a decade ago is *still* being exploited in the wild. But that seems to be the case with a venerable path traversal vulnerability in Adobe’s ColdFusion. Long in the tooth it may be, but somehow some unpatched instances remain, perhaps only recently exposed to public networks. Ghost/Cring ransomware operators are reported to be the latest threat actors in a long chain, taking advantage of the vulnerability to perform hostile takeovers of Windows servers.
A deserialization vulnerability in Oracle’s Agile PLM, first disclosed in Oracle’s January 2024 Critical Patch Update, has now been flagged by CISA as undergoing active exploitation in the wild. In typical Oracle fashion, details on the scale or nature of the exploitation remain scarce. What is clear, however, is that attackers have been able to exploit the vulnerability to execute arbitrary code, a worst-case scenario that has allowed them to totally compromise targeted vulnerable systems in attacks.
CISA has reported that cyber attackers have been actively exploiting a cross-site scripting (XSS) vulnerability in the Zimbra Collaboration Suite from Synacor. The flaw was leveraged by attackers to execute malicious scripts within the browsers of victim clients, in order to hijack user sessions and steal sensitive data. Little extra detail so far from Synacor, but it follows a familiar exploitation disclosed back in July 2023. A patch is available to fix the issue on vulnerable instances.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Despite its initial disclosure by CISA in November 2021, this missing authentication check in Cisco’s RV series of routers remains actively exploited, having been most recently spotlighted as part of NST Cyber’s “Top 10 Most Exploited CVEs Against Enterprise Applications” for February 12–18, 2025. Of particular note is that the sophisticated threat group ‘Volt Typhoon’ has leveraged this flaw in real-world attacks, underscoring the ongoing risks posed by unpatched systems.
A Cisco IOS vulnerability, initially reported by CISA in August 2021, experienced a renewed wave of targeted attacks from August 2024 and continuing into the present month. With no signs of this activity slowing down, Cisco researchers have attributed the majority of these attacks to the threat actor known as ‘Salt Typhoon’. This group has leveraged the flaw to spread the ‘JumbledPath’ malware, primarily targeting government and telecommunications sectors. Cisco’s Talos group revealed that attackers have now developed a specialized tool explicitly designed to exploit the ‘Smart Install’ feature in devices running Cisco’s IOS or IOS XE software. As well as leveraging the tool directly themselves, attackers have also made it readily available to others, significantly lowering the barrier for widespread exploitation by copycat attackers.
A flaw in the third-party Apache BlazeDS library used for Java object serialisation/deserialisation in ColdFusion is undergoing active exploitation according to CISA, a number of years after its initial discovery. The vulnerability exists across several release streams of Adobe’s web application development compute platform, but thankfully patches are available for all versions. Adobe has also produced “lockdown guides” for each release stream, encouraging customers to perform system/service hardening in addition to simply patching the vulnerability.
According to multiple third-party sources, an XSS flaw in the “KRpano” panoramic viewer has been weaponized by malicious actors to inject malicious scripts across hundreds of websites with the goal of manipulating search results and fuelling a spam ads campaign at scale. The campaign – dubbed 360XSS – affected over 350 websites, including government portals, universities, major hotel chains, news outlets, car dealerships, and several Fortune 500 companies. At time of publication, it is not yet known who is behind the massive operation.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
AppCheck now offers additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
