02/26/2025-03/05/2025 Broadcom Releases Patches; Cisco, Hitachi, Microsoft, and Progress Flaws; Paragon Partition Manager Driver Vulnerability.

1. VMware Flaws Exploited in the Wild—Broadcom Releases Patches

Broadcom released an advisory on March 4 addressing three VMware vulnerabilities, one critical, that allow attackers to access the hypervisor via a virtual machine. These flaws — CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (8.2), and CVE-2025-22226 (7.1) — are already being exploited.

Security teams using VMware ESX, vSphere, Cloud Foundation, or Telco Cloud Platform should patch immediately. The critical flaw enables a heap overflow to execute code as the host’s VMX process, while the others also allow privilege escalation. These zero-days pose a serious risk, enabling attackers to seize hypervisor control. VMware exploits show a trend of deep system breaches. The likely attackers are state-sponsored or APT groups seeking persistent access, data exfiltration, and system disruption.

2. Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

CISA added five security flaws to its KEV catalog due to active exploitation. These impact Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold.

Key vulnerabilities include:

• CVE-2023-20118 (Cisco routers, CVSS 6.5) – Allows remote root access; unpatched due to end-of-life.
• CVE-2022-43939 & CVE-2022-43769 (Hitachi Vantara, CVSS 8.6 & 8.8) – Enable authorization bypass and command execution; patched in August 2024.
• CVE-2018-8639 (Windows Win32k, CVSS 7.8) – Allows privilege escalation; patched in 2018.
• CVE-2024-4885 (WhatsUp Gold, CVSS 9.8) – Enables remote code execution; patched in June 2024.

Threat actors exploit these flaws, with CVE-2023-20118 used in the PolarEdge botnet and CVE-2024-4885 observed in attacks worldwide. A Chinese hacking group exploited CVE-2018-8639 in South Korea.

Federal agencies must apply mitigations by March 24, 2025.

3. Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks

Threat actors are exploiting a zero-day flaw (CVE-2025-0289) in Paragon Partition Manager’s BioNTdrv.sys driver for ransomware attacks, enabling privilege escalation and arbitrary code execution. Discovered by Microsoft, this flaw is part of five vulnerabilities affecting BioNTdrv.sys versions 1.3.0 and 1.5.1. These include kernel memory mapping and write flaws, a null pointer dereference, and insecure kernel resource access, according to CERT/CC. Attackers with local access can escalate privileges or trigger denial-of-service (DoS) attacks.

A Bring Your Own Vulnerable Driver (BYOVD) attack is possible on systems where the driver isn’t installed, granting elevated privileges. Paragon Software has addressed the issues in version 2.0.0, and Microsoft has added the vulnerable driver to its blocklist. This comes shortly after Check Point uncovered a malware campaign exploiting another Windows driver (truesight.sys) to deploy Gh0st RAT malware.

4. Widespread Network Edge Device Targeting Conducted by PolarEdge Botnet

Over 2,000 Cisco, QNAP, Synology, and ASUS network edge devices worldwide have been compromised by the PolarEdge botnet since late 2023. Affected regions include the U.S., Taiwan, Russia, India, Brazil, Australia, and Argentina.

French cybersecurity company Sekoia said it observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices. The vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status. As workarounds, Cisco recommended in early 2023 that the flaw can be mitigated by disabling remote management and blocking access to ports 443 and 60443.

This follows reports from SecurityScorecard of large-scale password spraying attacks on Microsoft 365 accounts. A botnet of over 130,000 compromised devices—likely linked to a China-based threat group—was behind the campaign.