03/05/2025-03/12/2025 FreeType Vulnerability, Over 400 IPs Exploiting Multiple SSRF Vulnerabilities, 3 Ivanti Flaws And More.

1. FreeType Vulnerability Actively Exploited for Arbitrary Code Execution

A critical vulnerability (CVE-2025-27363) in FreeType (versions ≤2.13.0) is being actively exploited, potentially leading to arbitrary code execution.

Vulnerability Details
The flaw occurs when parsing TrueType GX and variable fonts, due to improper assignment of a signed short to an unsigned long, causing heap buffer overflow. This results in out-of-bounds writes, enabling attackers to execute malicious code.

Affected Versions: FreeType: Versions 0.0.0 – 2.13.0

Recommendations

• Update FreeType to a version above 2.13.0
• Monitor for suspicious activity indicating exploitation
• Enhance security with firewalls and intrusion detection systems

This vulnerability poses a serious risk to affected systems, making immediate updates and security measures essential.

2. Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack

Threat intelligence firm GreyNoise warns of a coordinated surge in SSRF vulnerability exploitation across multiple platforms. At least 400 IPs have been observed attacking multiple SSRF CVEs simultaneously, starting March 9, 2025.

Targeted countries include the U.S., Germany, Singapore, India, Lithuania, Japan, and Israel, which saw a spike on March 11, 2025.

Exploited SSRF vulnerabilities include:

• Zimbra Collaboration Suite (CVE-2020-7796, 9.8 CVSS)
• GitLab CE/EE (CVE-2021-22175, 9.8 CVSS)
• Ivanti Connect Secure (CVE-2024-21893, 8.2 CVSS)
• And others from VMware, DotNetNuke, and ColumbiaSoft

Attackers are targeting multiple SSRF flaws simultaneously, suggesting automation and intelligence gathering. GreyNoise suspects Grafana reconnaissance precedes the attacks.

Users should apply patches, restrict outbound connections, and monitor for suspicious traffic as SSRF can expose internal networks and steal cloud credentials.

3. 3 Ivanti Flaws Added to CISA’s Vulnerabilities Catalogue

The Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its catalogue, including three Ivanti Endpoint Manager (EPM) flaws that pose a serious security risk.

Newly Listed Vulnerabilities:

• Advantive VeraCore SQL Injection (CVE-2025-25181)
• Advantive VeraCore Unrestricted File Upload (CVE-2024-57968)
• Ivanti EPM Path Traversal (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161)

Experts warn that the Ivanti flaws allow remote, unauthenticated attackers to fully compromise servers. Organizations delaying patches risk domain compromise, credential theft, and lateral movement by attackers.

With Ivanti’s vast market share (400,000+ companies), unpatched systems remain prime targets. CISA urges immediate patching, assuming potential compromise and monitoring for indicators of attack.

4. This Malicious PyPI Package Stole Ethereum Private Keys via Polygon RPC Transactions

Cybersecurity researchers uncovered a malicious Python package, set-utils, on PyPI, designed to steal Ethereum private keys by impersonating popular libraries. The package, downloaded 1,077 times, has since been removed.

Set-utils mimics widely used libraries like python-utils (712M+ downloads) to trick developers, particularly those working with Ethereum wallets and blockchain applications.

The malware intercepts private keys during wallet creation functions like “from_key()” and “from_mnemonic()”, then encrypts and exfiltrates them via blockchain transactions using Polygon’s RPC endpoint to evade detection.
By running in a background thread, the attack remains stealthy, ensuring stolen keys are sent unnoticed. Socket warns that even successfully created Ethereum accounts are compromised.

Developers should verify package authenticity before installation and monitor for unexpected network activity to protect sensitive data.

5. Over 1,000 WordPress Sites Infected with JavaScript Backdoors Enabling Persistent Attacker Access

Over 1,000 WordPress websites have been infected with malicious JavaScript injecting four backdoors, allowing attackers multiple re-entry points.

The script, served via cdn.csyndication[.]com, has been detected on 908 sites. The backdoors:

1. Fake Plugin – Installs “Ultra SEO Processor” to execute attacker commands.
2. Code Injection – Adds malicious JavaScript to wp-config.php.
3. SSH Access – Inserts an attacker-controlled SSH key for persistent access.
4. Remote Commands – Executes commands and opens a reverse shell via gsocket[.]io.

To mitigate risks, users should remove unauthorized SSH keys, rotate admin credentials, and monitor logs.

Meanwhile, a separate malware campaign hijacked 35,000+ websites, redirecting users to Chinese gambling platforms via JavaScript from domains like mlbetjs[.]com.
Additionally, the ScreamedJungle group has compromised 115+ Magento e-commerce sites using Bablosoft JS for browser fingerprinting, exploiting known Magento vulnerabilities (CVE-2024-34102, CVE-2024-20720).

02/26/2025-03/05/2025 Broadcom Releases Patches; Cisco, Hitachi, Microsoft, and Progress Flaws; Paragon Partition Manager Driver Vulnerability.

1. VMware Flaws Exploited in the Wild—Broadcom Releases Patches

Broadcom released an advisory on March 4 addressing three VMware vulnerabilities, one critical, that allow attackers to access the hypervisor via a virtual machine. These flaws — CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (8.2), and CVE-2025-22226 (7.1) — are already being exploited.

Security teams using VMware ESX, vSphere, Cloud Foundation, or Telco Cloud Platform should patch immediately. The critical flaw enables a heap overflow to execute code as the host’s VMX process, while the others also allow privilege escalation. These zero-days pose a serious risk, enabling attackers to seize hypervisor control. VMware exploits show a trend of deep system breaches. The likely attackers are state-sponsored or APT groups seeking persistent access, data exfiltration, and system disruption.

2. Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

CISA added five security flaws to its KEV catalog due to active exploitation. These impact Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold.

Key vulnerabilities include:

• CVE-2023-20118 (Cisco routers, CVSS 6.5) – Allows remote root access; unpatched due to end-of-life.
• CVE-2022-43939 & CVE-2022-43769 (Hitachi Vantara, CVSS 8.6 & 8.8) – Enable authorization bypass and command execution; patched in August 2024.
• CVE-2018-8639 (Windows Win32k, CVSS 7.8) – Allows privilege escalation; patched in 2018.
• CVE-2024-4885 (WhatsUp Gold, CVSS 9.8) – Enables remote code execution; patched in June 2024.

Threat actors exploit these flaws, with CVE-2023-20118 used in the PolarEdge botnet and CVE-2024-4885 observed in attacks worldwide. A Chinese hacking group exploited CVE-2018-8639 in South Korea.

Federal agencies must apply mitigations by March 24, 2025.

3. Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks

Threat actors are exploiting a zero-day flaw (CVE-2025-0289) in Paragon Partition Manager’s BioNTdrv.sys driver for ransomware attacks, enabling privilege escalation and arbitrary code execution. Discovered by Microsoft, this flaw is part of five vulnerabilities affecting BioNTdrv.sys versions 1.3.0 and 1.5.1. These include kernel memory mapping and write flaws, a null pointer dereference, and insecure kernel resource access, according to CERT/CC. Attackers with local access can escalate privileges or trigger denial-of-service (DoS) attacks.

A Bring Your Own Vulnerable Driver (BYOVD) attack is possible on systems where the driver isn’t installed, granting elevated privileges. Paragon Software has addressed the issues in version 2.0.0, and Microsoft has added the vulnerable driver to its blocklist. This comes shortly after Check Point uncovered a malware campaign exploiting another Windows driver (truesight.sys) to deploy Gh0st RAT malware.

4. Widespread Network Edge Device Targeting Conducted by PolarEdge Botnet

Over 2,000 Cisco, QNAP, Synology, and ASUS network edge devices worldwide have been compromised by the PolarEdge botnet since late 2023. Affected regions include the U.S., Taiwan, Russia, India, Brazil, Australia, and Argentina.

French cybersecurity company Sekoia said it observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices. The vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status. As workarounds, Cisco recommended in early 2023 that the flaw can be mitigated by disabling remote management and blocking access to ports 443 and 60443.

This follows reports from SecurityScorecard of large-scale password spraying attacks on Microsoft 365 accounts. A botnet of over 130,000 compromised devices—likely linked to a China-based threat group—was behind the campaign.

02/19/2025-02/26/2025 CMS Vulnerability, Security Fix for NetScaler Console Privilege Escalation Vulnerability, Security Flaws in Adobe and Oracle Products And More.

1. CISA Warns of Attacks Exploiting Craft CMS Vulnerability

The agency added CVE-2025-23209 to its KEV catalog, alongside a Palo Alto Networks firewall flaw. Though Craft CMS has a small market share, over 41,000 instances may be affected. Patched in mid-January (versions 5.5.8 and 4.13.8), CVE-2025-23209 is a high-severity remote code execution flaw requiring a compromised security key. CISA has instructed federal agencies to address it by March 13, though no public attack reports exist.

Meanwhile, CVE-2024-56145, another Craft CMS vulnerability allowing remote code execution, has been actively exploited. Patched in November 2024, developers warned users in December, but it’s not yet in CISA’s KEV catalog.
SecurityWeek contacted Craft for details on CVE-2025-23209 exploits. A representative confirmed the flaw required a compromised security key.

2. Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability

Citrix has released security updates for CVE-2024-12284, a high-severity privilege escalation flaw in NetScaler Console and NetScaler Agent. Rated 8.8/10 on CVSS v4, the issue stems from improper privilege management, allowing authenticated attackers to execute commands without extra authorization.

The vulnerability affects:

• NetScaler Console: Versions before 14.1-38.53 and 13.1-56.18
• NetScaler Agent: Versions before 14.1-38.53 and 13.1-56.18

Fixed versions include 14.1-38.53+ and 13.1-56.18+. Citrix urges customers to update immediately, as no workarounds exist. However, users of the Citrix-managed NetScaler Console Service are not affected.

3. Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability

Microsoft has released security updates for two critical flaws in Bing and Power Pages, one of which is actively exploited.

Vulnerabilities:

• CVE-2025-21355 (CVSS 8.6): Bing Remote Code Execution due to missing authentication, requiring no customer action.
• CVE-2025-24989 (CVSS 8.2): Power Pages Elevation of Privilege flaw allowing unauthorized access.

Microsoft credited employee Raj Kumar for discovering CVE-2025-24989 and confirmed at least one instance of exploitation. However, details on attacks and threat actors remain undisclosed. The vulnerability has been mitigated, and affected customers have been notified with review and cleanup instructions.

On February 21, 2025, CISA added CVE-2025-24989 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by March 14, 2025.

4. CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation

CISA placed two security flaws impacting Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities in question are as follows:

• CVE-2024-49035 (CVSS score: 8.7) – An improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. (Fixed in November 2024);
• CVE-2023-34192 (CVSS score: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. (Fixed in July 2023 with version 8.8.15 Patch 40)

Last year, Microsoft acknowledged that CVE-2024-49035 had been exploited in the wild, but did not reveal any additional details on how it was weaponized in real-world attacks. There are currently no public reports about in-the-wild abuse of CVE-2023-34192.

5. Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA

CISA has added two actively exploited vulnerabilities to its KEV catalog:

• CVE-2017-3066 (CVSS 9.8): A deserialization flaw in Adobe ColdFusion’s Apache BlazeDS library allowing arbitrary code execution (patched April 2017).
• CVE-2024-20953 (CVSS 8.8): A deserialization flaw in Oracle Agile PLM enabling low-privileged attackers to compromise systems via HTTP (patched January 2024).

No public reports confirm their exploitation, but another Oracle Agile PLM flaw (CVE-2024-21287) was abused in late 2024. Federal agencies must apply patches by March 17, 2025.

Meanwhile, GreyNoise detected 110 malicious IPs—mostly from Bulgaria, Brazil, and Singapore—exploiting CVE-2023-20198, a patched Cisco vulnerability. Two IPs, linked to CVE-2018-0171, were active in late 2024 and early 2025, coinciding with reported Chinese state-sponsored telecom breaches.