02/26/2025-03/05/2025 Broadcom Releases Patches; Cisco, Hitachi, Microsoft, and Progress Flaws; Paragon Partition Manager Driver Vulnerability.

1. VMware Flaws Exploited in the Wild—Broadcom Releases Patches

Broadcom released an advisory on March 4 addressing three VMware vulnerabilities, one critical, that allow attackers to access the hypervisor via a virtual machine. These flaws — CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (8.2), and CVE-2025-22226 (7.1) — are already being exploited.

Security teams using VMware ESX, vSphere, Cloud Foundation, or Telco Cloud Platform should patch immediately. The critical flaw enables a heap overflow to execute code as the host’s VMX process, while the others also allow privilege escalation. These zero-days pose a serious risk, enabling attackers to seize hypervisor control. VMware exploits show a trend of deep system breaches. The likely attackers are state-sponsored or APT groups seeking persistent access, data exfiltration, and system disruption.

2. Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

CISA added five security flaws to its KEV catalog due to active exploitation. These impact Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold.

Key vulnerabilities include:

• CVE-2023-20118 (Cisco routers, CVSS 6.5) – Allows remote root access; unpatched due to end-of-life.
• CVE-2022-43939 & CVE-2022-43769 (Hitachi Vantara, CVSS 8.6 & 8.8) – Enable authorization bypass and command execution; patched in August 2024.
• CVE-2018-8639 (Windows Win32k, CVSS 7.8) – Allows privilege escalation; patched in 2018.
• CVE-2024-4885 (WhatsUp Gold, CVSS 9.8) – Enables remote code execution; patched in June 2024.

Threat actors exploit these flaws, with CVE-2023-20118 used in the PolarEdge botnet and CVE-2024-4885 observed in attacks worldwide. A Chinese hacking group exploited CVE-2018-8639 in South Korea.

Federal agencies must apply mitigations by March 24, 2025.

3. Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks

Threat actors are exploiting a zero-day flaw (CVE-2025-0289) in Paragon Partition Manager’s BioNTdrv.sys driver for ransomware attacks, enabling privilege escalation and arbitrary code execution. Discovered by Microsoft, this flaw is part of five vulnerabilities affecting BioNTdrv.sys versions 1.3.0 and 1.5.1. These include kernel memory mapping and write flaws, a null pointer dereference, and insecure kernel resource access, according to CERT/CC. Attackers with local access can escalate privileges or trigger denial-of-service (DoS) attacks.

A Bring Your Own Vulnerable Driver (BYOVD) attack is possible on systems where the driver isn’t installed, granting elevated privileges. Paragon Software has addressed the issues in version 2.0.0, and Microsoft has added the vulnerable driver to its blocklist. This comes shortly after Check Point uncovered a malware campaign exploiting another Windows driver (truesight.sys) to deploy Gh0st RAT malware.

4. Widespread Network Edge Device Targeting Conducted by PolarEdge Botnet

Over 2,000 Cisco, QNAP, Synology, and ASUS network edge devices worldwide have been compromised by the PolarEdge botnet since late 2023. Affected regions include the U.S., Taiwan, Russia, India, Brazil, Australia, and Argentina.

French cybersecurity company Sekoia said it observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices. The vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status. As workarounds, Cisco recommended in early 2023 that the flaw can be mitigated by disabling remote management and blocking access to ports 443 and 60443.

This follows reports from SecurityScorecard of large-scale password spraying attacks on Microsoft 365 accounts. A botnet of over 130,000 compromised devices—likely linked to a China-based threat group—was behind the campaign.

02/19/2025-02/26/2025 CMS Vulnerability, Security Fix for NetScaler Console Privilege Escalation Vulnerability, Security Flaws in Adobe and Oracle Products And More.

1. CISA Warns of Attacks Exploiting Craft CMS Vulnerability

The agency added CVE-2025-23209 to its KEV catalog, alongside a Palo Alto Networks firewall flaw. Though Craft CMS has a small market share, over 41,000 instances may be affected. Patched in mid-January (versions 5.5.8 and 4.13.8), CVE-2025-23209 is a high-severity remote code execution flaw requiring a compromised security key. CISA has instructed federal agencies to address it by March 13, though no public attack reports exist.

Meanwhile, CVE-2024-56145, another Craft CMS vulnerability allowing remote code execution, has been actively exploited. Patched in November 2024, developers warned users in December, but it’s not yet in CISA’s KEV catalog.
SecurityWeek contacted Craft for details on CVE-2025-23209 exploits. A representative confirmed the flaw required a compromised security key.

2. Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability

Citrix has released security updates for CVE-2024-12284, a high-severity privilege escalation flaw in NetScaler Console and NetScaler Agent. Rated 8.8/10 on CVSS v4, the issue stems from improper privilege management, allowing authenticated attackers to execute commands without extra authorization.

The vulnerability affects:

• NetScaler Console: Versions before 14.1-38.53 and 13.1-56.18
• NetScaler Agent: Versions before 14.1-38.53 and 13.1-56.18

Fixed versions include 14.1-38.53+ and 13.1-56.18+. Citrix urges customers to update immediately, as no workarounds exist. However, users of the Citrix-managed NetScaler Console Service are not affected.

3. Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability

Microsoft has released security updates for two critical flaws in Bing and Power Pages, one of which is actively exploited.

Vulnerabilities:

• CVE-2025-21355 (CVSS 8.6): Bing Remote Code Execution due to missing authentication, requiring no customer action.
• CVE-2025-24989 (CVSS 8.2): Power Pages Elevation of Privilege flaw allowing unauthorized access.

Microsoft credited employee Raj Kumar for discovering CVE-2025-24989 and confirmed at least one instance of exploitation. However, details on attacks and threat actors remain undisclosed. The vulnerability has been mitigated, and affected customers have been notified with review and cleanup instructions.

On February 21, 2025, CISA added CVE-2025-24989 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by March 14, 2025.

4. CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation

CISA placed two security flaws impacting Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities in question are as follows:

• CVE-2024-49035 (CVSS score: 8.7) – An improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. (Fixed in November 2024);
• CVE-2023-34192 (CVSS score: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. (Fixed in July 2023 with version 8.8.15 Patch 40)

Last year, Microsoft acknowledged that CVE-2024-49035 had been exploited in the wild, but did not reveal any additional details on how it was weaponized in real-world attacks. There are currently no public reports about in-the-wild abuse of CVE-2023-34192.

5. Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA

CISA has added two actively exploited vulnerabilities to its KEV catalog:

• CVE-2017-3066 (CVSS 9.8): A deserialization flaw in Adobe ColdFusion’s Apache BlazeDS library allowing arbitrary code execution (patched April 2017).
• CVE-2024-20953 (CVSS 8.8): A deserialization flaw in Oracle Agile PLM enabling low-privileged attackers to compromise systems via HTTP (patched January 2024).

No public reports confirm their exploitation, but another Oracle Agile PLM flaw (CVE-2024-21287) was abused in late 2024. Federal agencies must apply patches by March 17, 2025.

Meanwhile, GreyNoise detected 110 malicious IPs—mostly from Bulgaria, Brazil, and Singapore—exploiting CVE-2023-20198, a patched Cisco vulnerability. Two IPs, linked to CVE-2018-0171, were active in late 2024 and early 2025, coinciding with reported Chinese state-sponsored telecom breaches.

02/12/2025-02/19/2025 PostgreSQL Vulnerability, New OpenSSH Flaws, Marstech1 JavaScript Implant And More.

1. PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks

Threat actors behind the December 2024 zero-day exploitation of BeyondTrust PRA and RS products likely also leveraged a newly discovered SQL injection flaw in PostgreSQL.Tracked as CVE-2025-1094 (CVSS 8.1), the vulnerability affects PostgreSQL’s interactive tool psql. Attackers can exploit it to achieve arbitrary code execution via meta-commands. Rapid7 discovered this issue while investigating CVE-2024-12356, a BeyondTrust flaw enabling unauthenticated remote code execution.

Successful exploitation of CVE-2024-12356 required CVE-2025-1094. PostgreSQL maintainers have patched the issue in versions 13.19, 14.16, 15.11, 16.7, and 17.3. The flaw stems from improper handling of invalid UTF-8 characters, allowing attackers to execute shell commands using the shortcut “!”. Meanwhile, CISA has added CVE-2024-57727, affecting SimpleHelp remote support software (CVSS 7.5), to its KEV catalog, mandating fixes by March 6, 2025.

2. New OpenSSH Flaws Expose SSH Servers to MiTM And DoS Attacks

OpenSSH has released security updates for two vulnerabilities: a man-in-the-middle (MitM) flaw (CVE-2025-26465) and a denial-of-service (DoS) issue (CVE-2025-26466). CVE-2025-26465, present since OpenSSH 6.8p1 (2014), affects clients with VerifyHostKeyDNS enabled, allowing attackers to hijack SSH sessions by forcing an out-of-memory error. Though disabled by default, it was enabled in FreeBSD from 2013–2023. CVE-2025-26466, introduced in OpenSSH 9.5p1 (2023), exploits unrestricted memory allocation during key exchange. Attackers can overload system resources by repeatedly sending small ping messages. Disabling VerifyHostKeyDNS and manually verifying SSH fingerprints are advised for security. To mitigate DoS risks, admins should enforce connection rate limits and monitor SSH traffic.

3. Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

The Lazarus Group has been linked to Marstech1, a new JavaScript implant used in targeted attacks against developers. Dubbed Marstech Mayhem by SecurityScorecard, the malware was distributed via a now-deleted GitHub profile, SuccessFriend. It collects system data and can be embedded in websites and NPM packages, posing a supply chain risk.

Active since December 2024, the attack has impacted 233 victims across the U.S., Europe, and Asia. Marstech1 targets Chromium-based browser directories, altering settings for wallets like MetaMask, Exodus, and Atomic. It can also download additional payloads and exfiltrate stolen data. The implant uses advanced obfuscation techniques to evade detection. Meanwhile, Recorded Future uncovered a related North Korean operation, PurpleBravo, targeting cryptocurrency firms through fraudulent IT hires. These workers act as insider threats, stealing data and facilitating cyberattacks. Organizations hiring North Korean IT workers risk violating sanctions and facing security threats.

4. Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software

Palo Alto Networks has patched a high-severity authentication bypass flaw in PAN-OS, tracked as CVE-2025-0108 (CVSS 7.8). The flaw allows unauthenticated attackers with network access to invoke PHP scripts via the management interface, impacting system integrity and confidentiality.

The issue stems from discrepancies in how Nginx and Apache handle requests, enabling directory traversal attacks. It affects multiple PAN-OS versions, with fixes available in 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9. GreyNoise has detected active exploitation attempts from IPs in the U.S., China, and Israel. Palo Alto Networks confirmed ongoing attacks, warning that CVE-2025-0108 can be chained with CVE-2024-9474 for unauthorized access. Users should immediately apply patches and restrict access to the management interface. Those not using OpenConfig should disable or uninstall the plugin to mitigate risk.