vFeed Newsletter January 2025

Posted on January 31, 2025

Zetafence vFeed Wishes everyone a Happy New Year 2025

Welcome to vFeed January Cybersecurity and Vulnerability newsletter edition. Cybersecurity Landscape Heats Up in January 2025!

January 2025 proved to be a challenging month for security professionals and the global cybersecurity community, with a surge in newly discovered vulnerabilities, exposing a wide range of surprises, and shaking weaknesses. This January saw a record-breaking number of published vulnerabilities — a staggering 1788 — eclipsing that of 1134 reported in January 2024 and the 732 from January 2023. This marks the highest count of active vulnerabilities tracked by vFeed IO in recent years.

Among these, 106 are classified as critical (CVSS score above 9), with many scoring a perfect 10 score. A significant portion of these critical vulnerabilities involve SQL injection, buffer overflows, and file upload issues, frequently found in PHP implementations. This elevated activity underscores the need for heightened vigilance and proactive security measures in the coming months.

Microsoft patches a flurry of vulnerabilities in January. A substantial batch of security updates were released by Microsoft this January, addressing approximately 165 CVEs (https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan). Among these, four are critical vulnerabilities affecting core services like Azure, NTLM, and OLE. Additionally, around 100 high-severity CVEs were resolved across a range of Microsoft products and services. These include potential Remote Code Execution (RCE) flaws in Windows Telephony, Microsoft Purview, Azure, .NET and Visual Studio, Office, Remote Desktop, and SharePoint, as well as Edge privilege escalation vulnerabilities. Users are strongly encouraged to apply these patches promptly to mitigate potential risks.

Among the language packages, PHP leads the way with a larger number with about 171 reported CVEs, some critical, followed by Perl, and Python.

WordPress plugin vulnerabilities remain a major concern this month. WordPress and its ecosystem of plugins continue to be a significant source of critical vulnerabilities. January saw numerous reported flaws in popular plugins like User Files, WP Backup, JetEngine, and Royal Elementor, including Cross-Site Request Forgery (CSRF) and SQL Injection vulnerabilities. A concerning 38 new critical vulnerabilities affecting WordPress components were published in January 2025 alone. This highlights the critical importance of regular and systematic vulnerability assessments for all organizations, especially those relying on WordPress, to ensure their environments remain secure.

Join us in this newsletter to explore the key cybersecurity trends and insights in January. This edition dives into critical vulnerability trends, answers your burning security questions in our “Curiosity Questionnaire of the Month,” and provides an update on the EPSS tracker for 2025 so far. We also examine vulnerabilities affecting Kubernetes services, including Envoy and Cilium engines. Next, we briefly list some of the challenges faced in vulnerability analysis by organizations in 2025. Furthermore, we introduce the MITRE EMB3D™, a new threat framework standard for embedded devices. Finally, we explore a recent cutting-edge research on the autonomous exploitation of zero-day vulnerabilities using a fleet of LLM agents. It’s a jam-packed newsletter full of actionable information you won’t want to miss!

Zetafence-vFeed team navigates the month with the team actively and diligently working throughout a particularly busy January. The increased volume of active feed maintenance, coupled with accelerated vFeed IO SRE operations, database sanitization, and performance enhancements for our feed correlation engines, has kept the team on their toes. As always, our focus remains on delivering the highest quality threat intelligence feed updates, optimizing update performance, and ensuring our feed sources remain informative and comprehensive. We are committed to maintaining the highest levels of data integrity, system stability, and providing timely, actionable alerts to keep our customers informed and protected.

Critical Vulnerabilities – January 2025

Pay attention to these top critical vulnerabilities this month.

CVE	Description	CVSS 3 Base	EPSS Percentile	Date Published	Weakness	Versions Affected	References
CVE-2025-0282	A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.	9.0	0.95883	2025-01-08	CWE-121 (Stack-based Buffer Overflow), CWE-787 (Out-of-bounds Write)	< 22.7R2.5	https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
CVE-2025-23006	Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.	9.8	0.86143	2025-01-23	CWE-502 (Deserialization of Untrusted Data)	Up to (excluding),12.4.3-02854	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002
CVE-2025-0230	A vulnerability, which was classified as critical, was found in code-projects Responsive Hotel Site 1.0. Affected is an unknown function of the file /admin/print.php. The manipulation of the argument pid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	9.8	0.54049	2025-01-05	CWE-74, 89 (Improper Neutralization of Special Elements in Output Used by a Downstream Component)	Site 1.0	https://github.com/Huandtx/cve/blob/main/cve/Responsive%20Hotel%20Site/sql1.md
CVE-2025-21311	Windows NTLM V1 Elevation of Privilege Vulnerability	9.8	0.5106	2025-01-14	CWE-303 (Incorrect Implementation of Authentication Algorithm)	Up to (excluding),10.0.26100.2894	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21311
CVE-2025-0357	The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘WPB_Profile_controller::handle_image_upload’ function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.	9.8	0.40669	2025-01-25	CWE-434 (Unrestricted Upload of File)	up to, and including, 1.6.9	https://www.wordfence.com/threat-intel/vulnerabilities/id/19bf7a68-e76d-4740-9f35-b6084094f59b
CVE-2025-23912	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Typomedia Foundation WordPress Custom Sidebar allows Blind SQL Injection.	9.8	0.11404	2025-01-16	CWE-89 (SQL Injection)	<= 2.3	https://patchstack.com/database/wordpress/plugin/wordpress-custom-sidebar/vulnerability/wordpress-wordpress-custom-sidebar-plugin-2-3-sql-injection-vulnerability?_s_id
CVE-2025-22275	iTerm2 sometimes allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. This can occur for certain it2ssh and SSH Integration configurations, during remote logins to hosts that have a common Python installation.	9.3	0.17746	2025-01-03	CWE-532 (Insertion of Sensitive Information)	iTerm2 3.5.6 through 3.5.10 before 3.5.11	https://gitlab.com/gnachman/iterm2/-/wikis/SSH-Integration-Information-Leak
CVE-2025-20156	A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.	9.9	0.178	2025-01-22	CWE-274 (Improper Handling of Insufficient Privileges)	N/A	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc

January 2025 Vulnerability Trends

Curiosity Questionnaire of the Month

What are some of the challenges in maintaining unpublished vulnerabilities as part of the feed database?

Traditionally, threat intel feeds rely upon actively maintained and published vulnerabilities such as that of NIST NVD databases. Standard bodies review and evaluate vulnerabilities over a period of time, and these fall into unpublished. Among those, some pre-NVD CVEs are published in the NVD within a few days of their initial disclosure. Other such pre-NVD CVEs can take several days or even weeks to be published.

Managing and maintaining unpublished vulnerabilities that are not yet disclosed in public databases like NVD, MITRE CVE, or CISA KEV within a feed database introduces several challenges including acquisition, maintaining and operating correctness of those, and security risks.

Discovering and gathering unpublished vulnerabilities have to be achieved through a myriad of means such as advisories prior to disclosure, bug country reports, and security research
Could lead to false positives, as without widespread validation, some vulnerabilities might turn out to be non-exploitable or duplicates of known ones
Inaccurate or incomplete metadata and scores in many unpublished feeds lacking full CVSS scoring details, affected product details, or confirmed exploitability
Increased risk of attackers gaining access to a feed containing unpublished vulnerabilities that they could exploit them before patches are available
Difficulty in predicting or maintaining CVSS score or EPSS data making prioritization or impacts difficult
Operationally, all of these could lead to continuous and larger churns to feed databases caused by significantly increased changes to metadata, and relationship

Are there any alternatives to gathering and maintaining unpublished vulnerabilities?

Several alternate approaches for gathering and analyzing vulnerabilities are possible, should security analysts start to think about unpublished vulnerabilities as some form of undisclosed CVEs. Instead, security analysts should seek means to identify hints of weaknesses, zero-days, and exploitable artifacts, etc. In other words, detecting exploit activities without CVE information.

Ask threat intel feed vendors for various advisors such as Github, Microsoft MSRC Advisories, Linux distribution security updates, Cisco/VMware security bulletins, etc.
Look for intel feeds from social platforms such as Twitter/X, OSINT, Project Zero, crowdsourced intel such as bug bounty programs by HackerOne / Bugcrowd red teams, participating private infosec groups on Slack, Discord, or Telegram where researchers share insight, etc.
Collaboration with university cybersecurity research groups working on vulnerability discovery programs could help uncover exploitable vulnerabilities
Automated AI-based vulnerability discovery through deeper code analysis, code fuzzing techniques, and AI-based exploit prediction such as Deep Exploit, etc.

Explain software code fuzzing, and some of the techniques used for code fuzzing for vulnerability analysis in code?

Software Fuzzing (or fuzz testing) is an automated software testing technique that involves developing software programs that test primary programs using random, unexpected, or malformed inputs with the intention of identifying security vulnerabilities, crashes, or other undesired behaviors. It is widely used in vulnerability research to detect various weaknesses and open risks such as memory corruption, buffer and stack overflows, null pointer dereferencing, SQL injection, and other exploitable issues in the code.

Various fuzzing techniques exist including black box fuzzing to generate random inputs, smart or grey box testing that uses program structure, syntax, or execution feedback to generate better inputs, and coverage-guided fuzzing that uses code coverage feedback to guide input generation. Other techniques such as symbolic execution fuzzing uses static code analysis to determine possible execution paths and generates inputs to explore them systematically.

Use of software fuzzing can be a powerful vulnerability detection technique that could lead to identifying weakness before being exploited. It is widely used in security research, malware analysis, and software hardening.

How can I effectively use EPSS scores? Are there any techniques that I can use to calculate those scores in-house?

Exploit Prediction Scoring System (EPSS) is a valuable metric for identifying and prioritizing vulnerabilities based on real-world exploitation probabilities. CVE and CVSS scores may indicate the severity of the vulnerability after they are well analyzed, whereas EPSS scores focus on vulnerabilities that are actively being exploited or likely to be exploited. For instance, if a CVE has a high CVSS score such as 9.0 but an EPSS of 0.01, it’s unlikely to be exploited anytime soon. This means that security analysts may defer patching the system in favor of more urgent vulnerabilities. On the other hand, techniques such as Threshold-based filtering logic could focus on vulnerabilities with EPSS probability > 0.7 (or a percentile > 90%), and combine those with CISA KEV to prioritize the ones that should be immediately patched.

Typically, EPSS calculation is conducted externally and is also distributed by First.org or Cyentia research. In order to calculate those, these organizations typically utilize a feature-rich vulnerability dataset consisting of various metadata, CVSS scores, exploit databases, threat intel feeds, patch status, exploits in the wild possibility, and so on.

It is possible to perform such calculations in-house using modern machine learning algorithms by training predictive models such as Logistic Regression, Random Forest, and other neural network models. In order to do so, the organization internally should possess a detailed dataset along with the context of vulnerabilities that must be fed to the training model, and allow the model to predict specific to the underlying environment. Continuous retraining of the model with updated information is necessary to keep the scores relevant.

Tell me a list of ways I could identify open source vulnerabilities, and identify the top impacted packages.

Identifying vulnerabilities in open-source software (OSS) is crucial for ensuring early risk mitigations, dependency management, and addressing supply chain security risks. Here’s a list of techniques and data sources to track open-source vulnerabilities that organizations must embrace in their assessment workflows.

Open source security feeds such as OSV.dev that covers OSS vulnerabilities from NPM, PyPI, RubyGems, and more.
GitHub Security Advisories that are reported directly by OSS maintainers
Monitoring individual package managers for new and existing security issues, for instance NPM (https://security.snyk.io), Go modules (https://pkg.go.dev/vuln), Ruby (https://www.ruby-lang.org/en/security), and so on
Finding exploits and PoCs using Exploit Database, Metasploit Framework, and Nuclei Templates

EPSS Tracker in January 2025

EPSS provides two key values for each CVE. The EPSS “probability” suggests the likelihood that a given CVE will be exploited in the next 30 days (a number between 0 and 1). EPSS “percentile” is the ranking of a CVE’s probability relative to all other CVEs in the dataset (a number between 0 and 1). We looked for these metrics among CVEs in January 2025, and found the following two that may be exploitable in the near future.

CVE-2025-0282 (Ivanti Connect)

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

EPSS percentile 0.95883, probability: 0.15325

https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day

https://github.com/securexploit1/CVE-2025-0282

PoC for exploit for a remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways

https://github.com/sfewer-r7/CVE-2025-0282

CVE-2025-23006 (Sonic Wall SMA AMC)

Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.

EPSS percentile 0.86143, probability 0.01369

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002

Kubernetes Services Vulnerabilities

CVE-2025-24030 (Envoy)

Envoy network proxy Admin Interface exposed with a user having access to Kubernetes can use a path traversal attack to execute Envoy Admin interface commands on proxies. Admin interface can be used to terminate the Envoy process and extract the Envoy configuration. Version < 1.2.6. CVSS3 base 7.1, Impact 4.2, Adjacent attack vector.

https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76

CVE-2025-23028 (Cilium)

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster. For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new connections made without relying on DNS resolution may continue to be established, but new connections which rely on DNS resolution may be disrupted. No known workarounds are available at this time. CVSS3 base 5.3, Impact 1.4, Network attack vector.

https://github.com/cilium/cilium/security/advisories/GHSA-9m5p-c77c

CVE-2025-23047 (Cilium)

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An insecure default `Access-Control-Allow-Origin` header value could lead to sensitive data exposure for users of Cilium versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4 who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this vulnerability to be exploited, a victim would have to first visit a malicious page. This issue is fixed in Cilium v1.14.18, v1.15.12, and v1.16.5. As a workaround, users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template. CVSS3 base 6.5, Impact 3.6, Network attack vector.

https://github.com/cilium/cilium/security/advisories/GHSA-h78m-j95m-5356

Challenges in Vulnerability Analysis in 2025

The primary objective of the vulnerability analysis is to study the underlying environment, systems, libraries, packages and tools deeply enough to identify security loopholes and flaws that prevent from being exploited. As implied, this goes way beyond the initial scanning for secrets, keys, or broad-level surveys. The expected outcome of vulnerability analysis is to enable identification of potential technical, configuration, and other code-level risks in the underlying environment, and their corresponding priorities in order to remediate those. And hence the context of security risks associated with these findings, evaluating potential vulnerability severity and impacts.

As can be observed, the challenges facing vulnerability assessment in 2025 are vastly different and vastly complex from the past, as we observed several historical trends in maintaining those vulnerabilities. Below are some of the challenges.

Coping up with the number of published vulnerabilities, and increased changes in those due to exploits, PoCs, etc.
Dealing with pre-vulnerabilities prior to publishing using internal research, code fuzzing, advisories, detection engines, etc.
Ability for platform to adapt to frequently changing CVSS and EPSS scores in disclosed and undisclosed advisories
Ability to identify context for a given vulnerabilities to find out which environment (e.g. Kubernetes), libraries, CPEs affected
Dealing with fast-paced AI-based attacks

The MITRE EMB3D™ Threat Model

MITRE EMB3D^TM provides a curated knowledge base of threats to embedded devices, a common understanding of these threats with security mechanisms to mitigate them. EMB3D is a threat model found in industries such as critical infrastructure, Internet of Things, automotive, healthcare, manufacturing, etc.

The framework was officially released to the public in May 2024, following a period of peer review and refinement with input from various industry stakeholders

The MITRE EMB3D^TM framework recommends three main components:

1) Device Properties that identifies key hardware, firmware, and software components that could expose a device to specific vulnerabilities, cataloging hardware and software components to enumerate potential vulnerabilities

2) Threat Identification and mapping of device properties to known threats, utilizing a knowledge base that includes observed adversary behaviors and theoretical vulnerabilities

3) Mitigation Strategies that provides a countermeasures to threats to secure devices, categorized into foundational, intermediate, and leading tiers based on difficulty and effectiveness

As of 2025, MITRE EMB3D^TM is an active and evolving framework for modeling threats to embedded devices. MITRE continues to update it with new threats and mitigations, reflecting the dynamic nature of cybersecurity. The framework is publicly accessible, encouraging contributions from the security community to ensure its relevance and comprehensiveness.

For more details, see https://emb3d.mitre.org

Autonomous Exploitation of Zero-Day Vulnerabilities Using LLM Agents

A team of cybersecurity researchers at University of Illinois Urbana-Champaign (UIUC), has released some interesting studies of utilizing LLM agents to exploit zero days.

This article titled “Teams of LLM Agents can Exploit Zero-Day Vulnerabilities”, Fang et al., Jun. 2024 can be found here: https://arxiv.org/abs/2406.01637

One of the most important takeaways from this research is that, it is possible for a team of LLM agents to effectively be deployed to autonomously exploit real-world zero-day vulnerabilities with a greater than 50% success rate in 5 phases. The article lists some of the ACE and RCE vulnerabilities exploited along with various CVEs tackled such as CVE-2024-25635.

The research team designs “task-specific” expert AI agents to increase the performance of teams of agents that act as web hacking agents. Some of these expert agents include those that could utilize XSS, SQLi, CSRF, SSTI, ZAP, and “generic” web hacking methods. These agents seemed to be provisioned with tools such as Playwright (a browser testing framework to access the websites), ZAP, terminal, and file management tools. Together with a hierarchical planner and a team manager, these agents are directed to execute a sequence of tasks that uses LangChain and LangGraph to create a graph of agents and passed messages between agents to perform the specific exploitations

Remediations

Maintain up-to-date vulnerability assessments using up-to-date correlated feeds, advisories, exploitation engines
Automated continuous assessments
Review infrastructure controls, access control policies, misconfigurations, etc.
Adopt good DevSecOps practices
Utilize AI-based tools to triage and prioritize vulnerabilities

May you live in interesting times! 🙂

Click here to schedule your demo with vFeed Threat Intel today!