02/19/2025-02/26/2025 CMS Vulnerability, Security Fix for NetScaler Console Privilege Escalation Vulnerability, Security Flaws in Adobe and Oracle Products And More.

1. CISA Warns of Attacks Exploiting Craft CMS Vulnerability

The agency added CVE-2025-23209 to its KEV catalog, alongside a Palo Alto Networks firewall flaw. Though Craft CMS has a small market share, over 41,000 instances may be affected. Patched in mid-January (versions 5.5.8 and 4.13.8), CVE-2025-23209 is a high-severity remote code execution flaw requiring a compromised security key. CISA has instructed federal agencies to address it by March 13, though no public attack reports exist.

Meanwhile, CVE-2024-56145, another Craft CMS vulnerability allowing remote code execution, has been actively exploited. Patched in November 2024, developers warned users in December, but it’s not yet in CISA’s KEV catalog.
SecurityWeek contacted Craft for details on CVE-2025-23209 exploits. A representative confirmed the flaw required a compromised security key.

2. Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability

Citrix has released security updates for CVE-2024-12284, a high-severity privilege escalation flaw in NetScaler Console and NetScaler Agent. Rated 8.8/10 on CVSS v4, the issue stems from improper privilege management, allowing authenticated attackers to execute commands without extra authorization.

The vulnerability affects:

• NetScaler Console: Versions before 14.1-38.53 and 13.1-56.18
• NetScaler Agent: Versions before 14.1-38.53 and 13.1-56.18

Fixed versions include 14.1-38.53+ and 13.1-56.18+. Citrix urges customers to update immediately, as no workarounds exist. However, users of the Citrix-managed NetScaler Console Service are not affected.

3. Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability

Microsoft has released security updates for two critical flaws in Bing and Power Pages, one of which is actively exploited.

Vulnerabilities:

• CVE-2025-21355 (CVSS 8.6): Bing Remote Code Execution due to missing authentication, requiring no customer action.
• CVE-2025-24989 (CVSS 8.2): Power Pages Elevation of Privilege flaw allowing unauthorized access.

Microsoft credited employee Raj Kumar for discovering CVE-2025-24989 and confirmed at least one instance of exploitation. However, details on attacks and threat actors remain undisclosed. The vulnerability has been mitigated, and affected customers have been notified with review and cleanup instructions.

On February 21, 2025, CISA added CVE-2025-24989 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by March 14, 2025.

4. CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation

CISA placed two security flaws impacting Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities in question are as follows:

• CVE-2024-49035 (CVSS score: 8.7) – An improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. (Fixed in November 2024);
• CVE-2023-34192 (CVSS score: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. (Fixed in July 2023 with version 8.8.15 Patch 40)

Last year, Microsoft acknowledged that CVE-2024-49035 had been exploited in the wild, but did not reveal any additional details on how it was weaponized in real-world attacks. There are currently no public reports about in-the-wild abuse of CVE-2023-34192.

5. Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA

CISA has added two actively exploited vulnerabilities to its KEV catalog:

• CVE-2017-3066 (CVSS 9.8): A deserialization flaw in Adobe ColdFusion’s Apache BlazeDS library allowing arbitrary code execution (patched April 2017).
• CVE-2024-20953 (CVSS 8.8): A deserialization flaw in Oracle Agile PLM enabling low-privileged attackers to compromise systems via HTTP (patched January 2024).

No public reports confirm their exploitation, but another Oracle Agile PLM flaw (CVE-2024-21287) was abused in late 2024. Federal agencies must apply patches by March 17, 2025.

Meanwhile, GreyNoise detected 110 malicious IPs—mostly from Bulgaria, Brazil, and Singapore—exploiting CVE-2023-20198, a patched Cisco vulnerability. Two IPs, linked to CVE-2018-0171, were active in late 2024 and early 2025, coinciding with reported Chinese state-sponsored telecom breaches.