VULNERA Pulse

VMware — ESXi

CVE-2025-22225 / Added: March 4, 2025

HIGH CVSS 8.20 EPSS Score 1.18 EPSS Percentile 85.20

VMware ESXi contains an arbitrary write vulnerability. Successful exploitation allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.

Headlines

• March 10, 2025 - ⚡ THN Weekly Recap: New Attacks, Old Tricks, Bigger Impact
• March 6, 2025 - Over 37,000 VMware ESXi servers vulnerable to ongoing attacks
• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - VMware fixed three actively exploited zero-days in ESX products
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - VMware Warns Customers to Patch Actively Exploited Zero-Day Flaws
• March 4, 2025 - Broadcom fixes three VMware zero-days exploited in attacks
• March 4, 2025 - CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Critical VMware Vulnerabilities Exploited

Back to top ↑

VMware — ESXi and Workstation

CVE-2025-22224 / Added: March 4, 2025

HIGH CVSS 8.20 EPSS Score 1.18 EPSS Percentile 85.20

VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.

Headlines

• March 10, 2025 - ⚡ THN Weekly Recap: New Attacks, Old Tricks, Bigger Impact
• March 6, 2025 - Over 37,000 VMware ESXi servers vulnerable to ongoing attacks
• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - VMware fixed three actively exploited zero-days in ESX products
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - VMware Warns Customers to Patch Actively Exploited Zero-Day Flaws
• March 4, 2025 - Broadcom fixes three VMware zero-days exploited in attacks
• March 4, 2025 - CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Critical VMware Vulnerabilities Exploited

Back to top ↑

VMware — ESXi, Workstation, and Fusion

CVE-2025-22226 / Added: March 4, 2025

MEDIUM CVSS 6.00 EPSS Score 1.18 EPSS Percentile 85.20

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process.

Headlines

• March 10, 2025 - ⚡ THN Weekly Recap: New Attacks, Old Tricks, Bigger Impact
• March 6, 2025 - Over 37,000 VMware ESXi servers vulnerable to ongoing attacks
• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - VMware fixed three actively exploited zero-days in ESX products
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - VMware Warns Customers to Patch Actively Exploited Zero-Day Flaws
• March 4, 2025 - Broadcom fixes three VMware zero-days exploited in attacks
• March 4, 2025 - CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Critical VMware Vulnerabilities Exploited

Back to top ↑

Linux — Kernel

CVE-2024-50302 / Added: March 4, 2025

MEDIUM CVSS 5.50 EPSS Score 0.18 EPSS Percentile 56.78

The Linux kernel contains a use of uninitialized resource vulnerability that allows an attacker to leak kernel memory via a specially crafted HID report.

Headlines

• March 10, 2025 - ⚡ THN Weekly Recap: New Attacks, Old Tricks, Bigger Impact
• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - Google fixed two actively exploited Android flaws
• March 4, 2025 - Google fixes Android zero-day exploited by Serbian authorities
• March 4, 2025 - Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities
• March 4, 2025 - Android Alert: Critical Flaws CVE-2024-43093 & CVE-2024-50302 Exploited, Update Now!
• March 3, 2025 - ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists
• March 3, 2025 - Serbian student activist’s phone hacked using Cellebrite zero-day exploit
• March 3, 2025 - US Cyber Command reportedly pauses attacks on Russia
• March 2, 2025 - Cellebrite Spyware Bypasses Android Lock Screens with Zero-Day Flaws
• Feb. 28, 2025 - Amnesty Finds Cellebrite’s Zero-Day Used to Unlock Serbian Activist’s Android Phone
• Feb. 28, 2025 - Serbian police used Cellebrite zero-day hack to unlock Android phones

Back to top ↑

Progress — WhatsUp Gold

CVE-2024-4885 / Added: March 3, 2025

CRITICAL CVSS 9.80 EPSS Score 83.60 EPSS Percentile 98.74

Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.

Headlines

• March 4, 2025 - Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm
• March 4, 2025 - Critical Flaws Exploited: Cisco, Windows, Hitachi, WhatsUp Gold at Risk
• March 3, 2025 - U.S. CISA adds Multiple Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog
• Sept. 27, 2024 - Progress Software Releases Patches for 6 Flaws in WhatsUp Gold – Patch Now
• Sept. 27, 2024 - Progress urges admins to patch critical WhatsUp Gold bugs ASAP
• Sept. 27, 2024 - Critical WhatsUp Gold Vulnerabilities Demand Immediate Action
• Sept. 13, 2024 - Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw
• Sept. 12, 2024 - Hackers targeting WhatsUp Gold with public exploit since August
• Aug. 23, 2024 - Critical Vulnerabilities Uncovered in Progress WhatsUp Gold (CVE-2024-6670 & CVE-2024-6671)
• Aug. 8, 2024 - Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now
• Aug. 7, 2024 - Critical Progress WhatsUp RCE flaw now under active exploitation
• June 27, 2024 - Critical Vulnerabilities in Progress WhatsUp Gold Demand Immediate Action

Back to top ↑

Hitachi Vantara — Pentaho Business Analytics (BA) Server

CVE-2022-43939 / Added: March 3, 2025

CRITICAL CVSS 9.80 EPSS Score 1.69 EPSS Percentile 87.78

Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization.

Headlines

• March 4, 2025 - Critical Flaws Exploited: Cisco, Windows, Hitachi, WhatsUp Gold at Risk
• March 3, 2025 - U.S. CISA adds Multiple Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog

Back to top ↑

Microsoft — Windows

CVE-2018-8639 / Added: March 3, 2025

HIGH CVSS 7.80 EPSS Score 0.57 EPSS Percentile 78.23

Microsoft Windows Win32k contains an improper resource shutdown or release vulnerability that allows for local, authenticated privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Headlines

• March 4, 2025 - CISA Urges Government to Patch Exploited Cisco, Microsoft Flaws
• March 4, 2025 - Critical Flaws Exploited: Cisco, Windows, Hitachi, WhatsUp Gold at Risk
• March 3, 2025 - U.S. CISA adds Multiple Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog
• March 3, 2025 - CISA tags Windows, Cisco vulnerabilities as actively exploited
• June 21, 2023 - Why you should review the security of your MSSQL servers

Back to top ↑

Hitachi Vantara — Pentaho Business Analytics (BA) Server

CVE-2022-43769 / Added: March 3, 2025

HIGH CVSS 7.20 EPSS Score 95.59 EPSS Percentile 99.58

Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution.

Headlines

• March 4, 2025 - Critical Flaws Exploited: Cisco, Windows, Hitachi, WhatsUp Gold at Risk
• March 3, 2025 - U.S. CISA adds Multiple Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog

Back to top ↑

Cisco — Small Business RV Series Routers

CVE-2023-20118 / Added: March 3, 2025

HIGH CVSS 7.20 EPSS Score 0.14 EPSS Percentile 50.85

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data.

Headlines

• March 10, 2025 - Malicious GitHub repositories linked to nearly 1M infections
• March 4, 2025 - Cisco warns of Webex for BroadWorks flaw exposing credentials
• March 4, 2025 - CISA Urges Government to Patch Exploited Cisco, Microsoft Flaws
• March 4, 2025 - Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm
• March 3, 2025 - U.S. CISA adds Multiple Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog
• March 3, 2025 - CISA tags Windows, Cisco vulnerabilities as actively exploited
• Feb. 27, 2025 - PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices
• Feb. 26, 2025 - PolarEdge Botnet: 2,000+ IoT Devices Infected

Back to top ↑

CVE-2025-0282

CRITICAL CVSS 9.00 EPSS Score 15.32 EPSS Percentile 95.97

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 8, 2025

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Policy Secure, And Zta Gateways, Neurons For Zero-Trust Access, Connect Secure, Policy Secure

Quotes

• Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon
• Silk Typhoon was observed utilizing a covert network that is comprised of compromised Cyberoam appliances, Zyxel routers, and QNAP devices
• They [Silk Typhoon] exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities
• Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments
• After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives
• What distinguishes Silk Typhoon from other espionage groups is their technical proficiency in rapidly exploiting recently disclosed zero-day vulnerabilities and efficiently employing covert networks — comprised of compromised or leased infrastructure — to conceal their operational footprint. These techniques complicate detection and attribution, emphasizing the need for defenders to continuously monitor and secure high-risk assets

Headlines

• March 7, 2025 - A Chinese espionage group is targeting the IT supply chain
• March 7, 2025 - Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
• March 5, 2025 - China-linked APT Silk Typhoon targets IT Supply Chain
• March 5, 2025 - Silk Typhoon hackers now target IT supply chains to breach networks
• March 5, 2025 - China's Silk Typhoon blamed for ongoing IT, govt break-ins
• March 5, 2025 - Silk Typhoon Shifts Tactics to Exploit Common IT Solutions
• March 5, 2025 - China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
• March 5, 2025 - Silk Typhoon targeting IT supply chain |

CVE-2025-22225

HIGH CVSS 8.20 EPSS Score 1.18 EPSS Percentile 85.20

CISA Known Exploited

Published: March 4, 2025

VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

Vendor Impacted: Vmware

Products Impacted: Telco Cloud Platform, Cloud Foundation, Esxi, Telco Cloud Infrastructure

Quotes

• This is a situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could move into the hypervisor itself
• On March 4, 2025 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine

Headlines

• March 6, 2025 - Over 37,000 VMware ESXi servers vulnerable to ongoing attacks
• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - VMware fixed three actively exploited zero-days in ESX products
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - VMware Warns Customers to Patch Actively Exploited Zero-Day Flaws
• March 4, 2025 - Broadcom fixes three VMware zero-days exploited in attacks
• March 4, 2025 - CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Critical VMware Vulnerabilities Exploited

CVE-2025-22224

HIGH CVSS 8.20 EPSS Score 1.18 EPSS Percentile 85.20

CISA Known Exploited

Published: March 4, 2025

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Vendor Impacted: Vmware

Products Impacted: Workstation, Telco Cloud Infrastructure, Cloud Foundation, Esxi, Esxi And Workstation, Telco Cloud Platform

Quotes

• This is a situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could move into the hypervisor itself
• On March 4, 2025 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine

Headlines

• March 6, 2025 - Over 37,000 VMware ESXi servers vulnerable to ongoing attacks
• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - VMware fixed three actively exploited zero-days in ESX products
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - VMware Warns Customers to Patch Actively Exploited Zero-Day Flaws
• March 4, 2025 - Broadcom fixes three VMware zero-days exploited in attacks
• March 4, 2025 - CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Critical VMware Vulnerabilities Exploited

CVE-2024-53104

HIGH CVSS 7.80 EPSS Score 0.14 EPSS Percentile 50.23

CISA Known Exploited Actively Exploited

Published: Dec. 2, 2024

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming.

Vendor Impacted: Linux

Products Impacted: Linux Kernel, Kernel

Quotes

• To defend the nation and, if necessary, engage our enemies in the cyber domain
• We found it appropriate to stop the use of our products by the relevant customers at this time
• We were aware of these vulnerabilities and exploitation risk prior to these reports and promptly developed fixes for Android. Fixes were shared with OEM partners in a partner advisory on January 18
• On March 4, 2025 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine
• The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite. Amnesty International first found traces of this Cellebrite USB exploit used in a separate case in mid-2024
• There are indications that the following may be under limited, targeted exploitation. CVE-2024-43093 (CVSS score of 7.8) is a Privilege Escalation Vulnerability in Android Framework. A flaw in ExternalStorageProvider.java allows bypassing a file path filter meant to block access to sensitive directories due to improper Unicode normalization. Successful exploitation of this issue could lead to local escalation of privilege with no additional execution privileges needed. The advisory pointed out that user interaction is needed for exploitation. CVE-2024-50302 (CVSS score of 5.5) is a Linux kernel vulnerability that was fixed by zero-initializing the HID report buffer during allocation to prevent potential kernel memory leaks. Google did now share details about the attacks exploiting the above vulnerabilities, however, in 2024, the Security Lab provided evidence of a Cellebrite zero-day exploit chain to industry partners, leading Google to identify three vulnerabilities. CVE-2024-53104 was patched in Android’s February 2025 update, while CVE-2024-53197 and CVE-2024-50302 (CVSS score of 5.5) were patched in the Linux kernel but not yet in Android. Amnesty International revealed that the vulnerability CVE-2024-50302 was likely used by Cellebrite’s mobile forensic tools to unlock the Android phone of a Serbian student activist. Android’s March 2025 security update addressed ten critical vulnerabilities in System the System component that could lead to remote code execution

Headlines

• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - Google fixed two actively exploited Android flaws
• March 4, 2025 - Google fixes Android zero-day exploited by Serbian authorities
• March 4, 2025 - Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities
• March 3, 2025 - ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists
• March 3, 2025 - Serbian student activist’s phone hacked using Cellebrite zero-day exploit
• March 3, 2025 - US Cyber Command reportedly pauses attacks on Russia
• March 2, 2025 - Cellebrite Spyware Bypasses Android Lock Screens with Zero-Day Flaws

CVE-2025-0289

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 18.34

Actively Exploited Remote Code Execution Used In Ransomware

Published: March 3, 2025

Paragon Partition Manager version 17, both community and Business versions, contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service.

Quotes

• Bring Your Own Vulnerable Driver
• Failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware
• An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine
• These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability
• Microsoft researchers have identified four vulnerabilities in Paragon Partition Manager version 7.9.1 and a fifth specific vulnerability (CVE-2025-0289) affecting version 17. These vulnerabilities, particularly in BioNTdrv.sys versions 1.3.0 and 1.5.1, allow attackers to achieve SYSTEM-level privilege escalation, which surpasses typical administrator permissions. The vulnerabilities also enable attackers to manipulate the driver via device-specific Input/Output Control (IOCTL) calls, potentially resulting in privilege escalation or system crashes (e.g., a Blue Screen of Death, or BSOD)

Headlines

• March 3, 2025 - CVE-2025-0289: Paragon Partition Manager Flaw Exploited in BYOVD Ransomware Attacks
• March 3, 2025 - Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks
• March 3, 2025 - BYOVD Attacks Exploit Zero-Day in Paragon Partition Manager
• March 1, 2025 - Ransomware gangs exploit a Paragon Partition Manager BioNTdrv.sys driver zero-day
• March 1, 2025 - Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks

CVE-2018-8639

HIGH CVSS 7.80 EPSS Score 0.57 EPSS Percentile 78.23

CISA Known Exploited Public Exploits Available

Published: Dec. 12, 2018

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8641.

Vendor Impacted: Microsoft

Products Impacted: Windows 10, Windows Server 2008, Windows 8.1, Windows Rt 8.1, Windows 7, Windows Server 2016, Windows, Windows Server 2019, Windows Server 2012

Quotes

• Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device

Headlines

• March 4, 2025 - CISA Urges Government to Patch Exploited Cisco, Microsoft Flaws
• March 4, 2025 - Critical Flaws Exploited: Cisco, Windows, Hitachi, WhatsUp Gold at Risk
• March 3, 2025 - U.S. CISA adds Multiple Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog
• March 3, 2025 - CISA tags Windows, Cisco vulnerabilities as actively exploited

CVE-2023-20118

HIGH CVSS 7.20 EPSS Score 0.14 EPSS Percentile 50.85

CISA Known Exploited Actively Exploited Remote Code Execution

Published: April 13, 2023

A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. Cisco has not and will not release software updates that address this vulnerability.

Vendor Impacted: Cisco

Products Impacted: Rv016 Firmware, Rv042 Firmware, Rv042g Firmware, Rv082 Firmware, Rv042g, Rv082, Rv320 Firmware, Rv325 Firmware, Rv042, Rv325, Small Business Rv Series Routers, Rv320, Rv016

Quotes

• Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• A low-severity vulnerability in Cisco Webex for BroadWorks Release 45.2 could allow an unauthenticated, remote attacker to access data and credentials if unsecure transport is configured for the SIP communication
• Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device

Headlines

• March 4, 2025 - Cisco warns of Webex for BroadWorks flaw exposing credentials
• March 4, 2025 - CISA Urges Government to Patch Exploited Cisco, Microsoft Flaws
• March 4, 2025 - Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm
• March 3, 2025 - U.S. CISA adds Multiple Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog
• March 3, 2025 - CISA tags Windows, Cisco vulnerabilities as actively exploited

CVE-2025-22226

MEDIUM CVSS 6.00 EPSS Score 1.18 EPSS Percentile 85.20

CISA Known Exploited

Published: March 4, 2025

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Vendor Impacted: Vmware

Products Impacted: Esxi, Workstation, And Fusion, Workstation, Telco Cloud Infrastructure, Cloud Foundation, Esxi, Telco Cloud Platform, Fusion

Quotes

• This is a situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could move into the hypervisor itself
• On March 4, 2025 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine

Headlines

• March 6, 2025 - Over 37,000 VMware ESXi servers vulnerable to ongoing attacks
• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - VMware fixed three actively exploited zero-days in ESX products
• March 4, 2025 - Unknown attackers exploit VMware hypervisor-hijack holes
• March 4, 2025 - VMware Warns Customers to Patch Actively Exploited Zero-Day Flaws
• March 4, 2025 - Broadcom fixes three VMware zero-days exploited in attacks
• March 4, 2025 - CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Critical VMware Vulnerabilities Exploited

CVE-2024-50302

MEDIUM CVSS 5.50 EPSS Score 0.18 EPSS Percentile 56.78

CISA Known Exploited

Published: Nov. 19, 2024

In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report.

Vendors Impacted: Google, Linux

Products Impacted: Linux Kernel, Android, Kernel

Quotes

• To defend the nation and, if necessary, engage our enemies in the cyber domain
• We found it appropriate to stop the use of our products by the relevant customers at this time
• We were aware of these vulnerabilities and exploitation risk prior to these reports and promptly developed fixes for Android. Fixes were shared with OEM partners in a partner advisory on January 18
• On March 4, 2025 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine
• The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite. Amnesty International first found traces of this Cellebrite USB exploit used in a separate case in mid-2024
• There are indications that the following may be under limited, targeted exploitation. CVE-2024-43093 (CVSS score of 7.8) is a Privilege Escalation Vulnerability in Android Framework. A flaw in ExternalStorageProvider.java allows bypassing a file path filter meant to block access to sensitive directories due to improper Unicode normalization. Successful exploitation of this issue could lead to local escalation of privilege with no additional execution privileges needed. The advisory pointed out that user interaction is needed for exploitation. CVE-2024-50302 (CVSS score of 5.5) is a Linux kernel vulnerability that was fixed by zero-initializing the HID report buffer during allocation to prevent potential kernel memory leaks. Google did now share details about the attacks exploiting the above vulnerabilities, however, in 2024, the Security Lab provided evidence of a Cellebrite zero-day exploit chain to industry partners, leading Google to identify three vulnerabilities. CVE-2024-53104 was patched in Android’s February 2025 update, while CVE-2024-53197 and CVE-2024-50302 (CVSS score of 5.5) were patched in the Linux kernel but not yet in Android. Amnesty International revealed that the vulnerability CVE-2024-50302 was likely used by Cellebrite’s mobile forensic tools to unlock the Android phone of a Serbian student activist. Android’s March 2025 security update addressed ten critical vulnerabilities in System the System component that could lead to remote code execution

Headlines

• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - Google fixed two actively exploited Android flaws
• March 4, 2025 - Google fixes Android zero-day exploited by Serbian authorities
• March 4, 2025 - Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities
• March 4, 2025 - Android Alert: Critical Flaws CVE-2024-43093 & CVE-2024-50302 Exploited, Update Now!
• March 3, 2025 - ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists
• March 3, 2025 - Serbian student activist’s phone hacked using Cellebrite zero-day exploit
• March 3, 2025 - US Cyber Command reportedly pauses attacks on Russia
• March 2, 2025 - Cellebrite Spyware Bypasses Android Lock Screens with Zero-Day Flaws

CVE-2024-53197

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 15.73

Risk Context N/A

Published: Dec. 27, 2024

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration.

Quotes

• To defend the nation and, if necessary, engage our enemies in the cyber domain
• We found it appropriate to stop the use of our products by the relevant customers at this time
• On March 4, 2025 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine
• The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite. Amnesty International first found traces of this Cellebrite USB exploit used in a separate case in mid-2024
• There are indications that the following may be under limited, targeted exploitation. CVE-2024-43093 (CVSS score of 7.8) is a Privilege Escalation Vulnerability in Android Framework. A flaw in ExternalStorageProvider.java allows bypassing a file path filter meant to block access to sensitive directories due to improper Unicode normalization. Successful exploitation of this issue could lead to local escalation of privilege with no additional execution privileges needed. The advisory pointed out that user interaction is needed for exploitation. CVE-2024-50302 (CVSS score of 5.5) is a Linux kernel vulnerability that was fixed by zero-initializing the HID report buffer during allocation to prevent potential kernel memory leaks. Google did now share details about the attacks exploiting the above vulnerabilities, however, in 2024, the Security Lab provided evidence of a Cellebrite zero-day exploit chain to industry partners, leading Google to identify three vulnerabilities. CVE-2024-53104 was patched in Android’s February 2025 update, while CVE-2024-53197 and CVE-2024-50302 (CVSS score of 5.5) were patched in the Linux kernel but not yet in Android. Amnesty International revealed that the vulnerability CVE-2024-50302 was likely used by Cellebrite’s mobile forensic tools to unlock the Android phone of a Serbian student activist. Android’s March 2025 security update addressed ten critical vulnerabilities in System the System component that could lead to remote code execution

Headlines

• March 5, 2025 - U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
• March 4, 2025 - Google fixed two actively exploited Android flaws
• March 4, 2025 - Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities
• March 3, 2025 - ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists
• March 3, 2025 - Serbian student activist’s phone hacked using Cellebrite zero-day exploit
• March 3, 2025 - US Cyber Command reportedly pauses attacks on Russia
• March 2, 2025 - Cellebrite Spyware Bypasses Android Lock Screens with Zero-Day Flaws