AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 7th March 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
More mischief and mayhem this week, where we start off with CISA issuing fresh warnings of the active exploitation of products from multiple vendors, including an unusual case where law enforcement agencies have reportedly leveraged vulnerabilities to hack the smartphones of political activists. Hitachi Vantara’s Pentaho BI solution is also under attack, while a 2018-era flaw in Windows has seen renewed targeting by suspected APT groups. Meanwhile, yet another Cisco router exploit is fueling botnet recruitment of unpatched and end-of-life network edge devices.
But there’s more! Linux kernel memory flaws continue to rank among the most targeted exploits, while Check Point vulnerabilities are reportedly being leveraged for ransomware deployment. The Aquabot botnet is hijacking LB-LINK routers, and VMware Spring Cloud is seeing a surge in SSRF attacks. Meanwhile, attackers are stealing credentials through weaknesses in both the Laravel framework and WordPress’ ‘Litespeed Cache’ plugin. Also in the news – Barracuda’s line of Email Security Gateways are seeing instances being compromised via SMTP payloads. In a somewhat ironic twist, a driver originally distributed as part of the ‘RogueKiller’ anti-malware solution is being redistributed and leveraged to bypass malware protection protections. Finally, Fortinet’s FortiSIEM appliances are being actively targeted via weaknesses that have been weaponized by the ‘Black Basta’ ransomware gang.
Once again, these incidents help to underscore the persistent dangers of unpatched software and targeted vendor exploits.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
A somewhat unusual advisory from CISA follows the disclosure of a Linux kernel vulnerability being leveraged by law enforcement agencies during investigations performed by tools produced by Cellebrite, an Israeli digital forensics firm known for developing zero-day exploits used by intelligence agencies and law enforcement worldwide. Amnesty International have published a report claiming that law enforcement agencies have leveraged CVE-2024-50302 as one of three vulnerabilities that were chained into a zero-day exploit in order to break into the smartphones of political activists. The exploit involved the use of CVE-2024-53104, CVE-2024-53197, and CVE-2024-50302 to gain elevated privileges.
A critical pair of URI validation flaws in Hitachi Vantara’s PBA business intelligence platform are the latest set of flaws being exploited in the wild according to an advisory published by CISA this week. The two flaws – a URI canonicalization failure and a template injection vulnerability – are being chained together to deliver that holy grail of hacker compromise, unauthenticated remote code execution (RCE). Multiple version streams are vulnerable, and patches have been published for the latest in-support branches.
Whilst a patch for this vulnerability has been available since 2018, legacy systems running outdated Windows versions still exist and are being actively exploited as of this month, according to a new advisory issued by CISA. No direct connections to ransomware campaigns have been confirmed at time of writing, but the kernel-level access provided by this flaw mirrors tactics historically used by advanced persistent threat (APT) actors such as APT29 and the Lazarus Group. The continued existence of unpatched systems vulnerable to a 2018-era flaw has been attributed to inconsistent patch management within organisations, and fear of outage from failed upgrades – for these reasons, legacy version of software are sometimes left unpatched for years, particularly in industrial control systems (ICS) and healthcare infrastructure, and hence remain susceptible.
In January 2025, Sekoia’s Threat Detection & Research team observed active exploitation of a vulnerability in Cisco’s RV series routers. Attackers executed remote commands and deployed web shells on target servers. Further attacks were detected in February 2025, leading to an analysis of the payloads, which uncovered a botnet of over 2,000 infected devices. Believed to have been active since late 2023, this botnet dubbed ‘PolarEdge’, has now been added to CISA’s catalogue. Since all affected routers are end-of-life with no available fixes, the only solution is to replace them with supported devices.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Earlier this week, researchers at Kaspersky reported that a pair of buffer overflow and ‘use after free’ memory bugs in the Linux kernel were among the top 10 exploits detected by Kaspersky solutions in the last quarter of 2024 – one of the most commonly observed exploits according to the company’s telemetry data throughout Q4 2024. Despite the vulnerabilities being patched in the stable kernel in December 2023, they weren’t ported to Ubuntu kernels for over two months, making it an easy 0-day vector in Ubuntu during that time.
A newly identified threat activity cluster leveraged Check Point vulnerability CVE-2024-24919 (patches released in May 2024) to deploy ShadowPad ransomware, according to the vendor. Attackers initially gained access by exploiting this path traversal vulnerability CVE-2024-24919, which allowed them to steal user credentials and log into the VPN with a valid account. From there, attackers have moved laterally to compromise further systems. Acting now is critical if customers still have unpatched and vulnerable systems.
Akamai Security Intelligence and Response Team (SIRT) this week released a report that identified a new variant of the Mirai-based malware, ‘Aquabot 3’, that is actively attempting to exploit various IoT devices and edge network equipment. The latest victim of the Aquabot malware (a botnet built off the well-known ‘Mirai’ framework) are routers from LB-LINK. The attackers have compromised the routers at scale and recruited them into botnet ‘armies’ for performing distributed denial of service (DDoS) attacks against onward targets.
SonicWall this week published their report of the ‘most exploited’ vulnerabilities observed for 2024 Q4. As with Kaspersky’s similar report recently published and covered in this blog, the report contains many of the usual ‘regulars’, but also reports the widespread exploitation of a previously-uncovered SSRF flaw in VMware Spring Cloud. Server-Side Request Forgery (SSRF) attacks have long been a favored tool in cybercriminals’ arsenals. Exploitation has allowed attacks to gain access to sensitive internal services within organizations, and interestingly SonicWall reports that the 2020 flaw has been ‘reinvigorated’ by the recent application of AI-powered tools used to assist attackers both in locating unpatched systems, and in chaining exploits.
Greynoise this week released their “Mass Internet Exploitation Report 2025”, a similar report to those recently published by Kaspersky and SonicWall covering exploitation most seen occurring ‘in the wild’ against organisations. As with those other vendors, the report draws heavily on telemetry from observed traffic containing attack patterns. In this case, the vendor observed widespread exploitation of a weakness in the popular Laravel framework that is widely used to build PHP web applications.
In something of an echo or repeating pattern, the same Greynoise threat report that highlighted the unauthorised access to credentials in the Laravel Framework flaw above (CVE-2024-29291) also highlighted an exactingly similar flaw in WordPress’ ‘Lightspeed Cache’ being exploited by attackers. In both cases, the software essentially logs credentials in plaintext on login, exposing them for retrieval by attackers and leading to total system compromise. With WordPress enjoying an extremely wide installation base as a popular CMS platform, its no surprise that the CVE has made GreyNoise’s “Mass Internet Exploitation” report for 2025.
Those working in the security field for a little while may remember the ‘zip slip’ exploitation run in which maliciously crafted ZIP archive files were used to compromise hosts at scale on systems from multiple vendors that failed to safely extract ZIP file contents. An extremely similar exploitation was highlighted this week that has been leveraging a flaw in the handling of ‘TAR’ file archives in email security gateways from Barracuda. Reports of exploitation have trickled in since 2023, but the latest round of exploitation looks to have upped the stakes, with attacks breaching security services of European nation-states, allegedly by China-linked threat actors.
A driver extracted from the ‘RogueKiller’ anti-malware solution from Adlice Software has been weaponised by attackers to bypass malware protection mechanisms, according to new research from CheckPoint. On investigating compromised hosts, CheckPoint found that the legitimately-signed driver was being repackaged by attackers and redistributed in order to leverage its ability to bypass a Windows policy loophole (Exception in Driver Signing Policy) in order to disable anti-malware protection mechanisms on systems. Attackers have reportedly been exploiting the vulnerability for months before Microsoft updated the policy in question to close the loophole, slamming the gate shut on this particular exploitation long after the horse has bolted.
In February 2025, Qualys published a report revealing a list of CVEs actively exploited by the ransomware gang ‘Black Basta’. Among the Top 20 were a pair of closely related OS Command Injection vulnerabilities in Fortinet’s FortiSIEM solution. Something of a hacker’s dream team with their unauthenticated attack vector, it provided cybercriminals with direct pathways to compromising high-value enterprise targets, and led to the deployment of ransomware.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
AppCheck now offers additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
