Known Actively Exploited Vulnerabilities Round-up (21.03.25-27.03.25)

This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.

AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 28th March 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.

 

Commentary and Roundup

This week: CISA has reported active exploitation of several critical vulnerabilities including a sandbox escape flaw in Google Chrome, a second case of attackers injecting malicious code into a GitHub repository and multiple deserialization flaws found in Sitecore products. In addition, third-party sources have indicated several more critical vulnerabilities being actively exploited including Next.JS, Draytek Vigor Series routers (again) and multiple WordPress plugins.

 

CISA ‘Known Exploited Vulnerabilities’

CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.

 

Google Chrome – Sandbox Escape Exploitation (CVE-2025-2783)

CISA have reported on the active exploitation of a sandbox escape found in Google Chrome. Reports have indicated that a professional hacking operation has launched drive-by download exploits and successfully chained this with a second as yet unknown exploit for remote code execution. Microsoft Edge (which is based on Chromium) has also been patched together with Mozilla reportedly patching a ‘similar’ flaw in Firefox.

 

Reviewdog Action-Setup – GitHub Action Embedded Malicious Code Exploitation (CVE-2025-30154)

Threat actors have exploited a vulnerability in the Reviewdog Action-Setup GitHub Action to dump exposed secrets to Github Actions Workflow Logs. It has been reported that this compromise was thought to be the root cause which enabled the compromise of Tj-Actions Changed-Files (CVE-2025-30066) reported last week.

 

Sitecore CMS and Experience Platform (XP) – Multiple Deserialization Exploitations (CVE-2019-9874 and CVE-2019-9875)

CISA have reported on the active exploitation of multiple vulnerabilities in Sitecore products. Whilst there are currently no details on how the flaws are being weaponized in the wild and by whom, successful exploitation is believed to have led to attackers executing arbitrary code.

 

Elsewhere on the Web

Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.

 

Next.JS – Middleware Bypass Exploitation (CVE-2025-29927)

Akamai have reported on the active exploitation of an improper authentication vulnerability in Next.JS with attackers bypassing security checks and gaining unauthorised access to sensitive application resources on affected systems.

 

Draytek Vigor Series – Multiple Exploitations (CVE-2020-8515, CVE-2021-20123 and CVE-2021-20124)

GreyNoise have reported on the active exploitation of three vulnerabilities in Draytek Vigor Series routers. The exploitations have allowed attackers to execute arbitrary code, download arbitrary files and reboot affected routers on a global scale.

 

WordPress Plugins – Multiple Exploitations (CVE-2024-27956, CVE-2024-4345, CVE-2024-25600 and CVE-2024-8353)

Patchstack have published a list of the most targeted WordPress plugins targeted in Q1 2025, with the top four (‘Automatic’, ‘Startklar Elementor Addons’, ‘Bricks Builder Theme’ and ‘Give’) being responsible for attackers running arbitrary SQL, uploading malicious files and completely taking over sites running vulnerable plugins.

 


 

Next Roundup

To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.

AppCheck now offers additional coverage of critical security updates from several key vendors too, including:

  • Our monthly coverage of the ‘Patch Tuesday’ updates from MICROSOFT and several other major vendors – next due on 9th April 2025
  • Our Monthly Security Advisory Roundups for PALO ALTO NETWORKS – next due on 10th April 2025
  • Our quarterly coverage of the ‘Critical Patch Updates’ from ORACLE – next due on 15th April 2025
  • Our End-of-Month Roundups of critical patch updates for all CISCO Products – next due on 24th April 2025
  • Quarterly Roundups of Security Updates from IVANTI – next due on 16th June 2025

 

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

 

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch