vFeed Newsletter February 2025

Welcome to vFeed February 2025 edition of Cybersecurity and Vulnerability newsletter.

February presented an interesting security landscape with mixed signals. We saw fewer overall vulnerabilities published (1,562) compared to January (1,859). However, the number of critical vulnerabilities – those with a score of 9.0 or higher – rose sharply to 129. This considerable increase implies that few vulnerabilities are causing larger impacts. We kept a close eye on WordPress plugins, Microsoft Windows, Palo Alto OS, and Wazuh Server, all of which were affected. Notably, Microsoft released patches for 63 vulnerabilities, but 10 were already being exploited, particularly in Windows LDAP, Kernel, and Office. Stay updated!

Intriguigly, a medium-severity OpenSSH vulnerability (CVE-2025-26465), caused by VerifyHostKeyDNS option enabled, was recently discovered. This vulnerability impacts numerous Linux distributions, including RedHat, Ubuntu, and Suse. Additionally, a high-severity Linux kernel vulnerability (CVE-2025-21703, CVSS score 7.8) was found in the NetEm subsystem. This vulnerability can lead to a use-after-free condition when specific network traffic packets are injected. In February, several Ubuntu vulnerabilities were discovered, affecting various versions, including 24.10, 24.04 LTS, 22.04 LTS, 20.04 LTS, and older LTS releases.

WordPress plugins continue to exhibit high security risk exposing several Plugin Vulnerability with several of them in the high to critical categories, and reasonably medium exploit probabilities. Some of these plugins include Jupiter X Core plugin, Everest Forms Plugin, IP2Location Country Blocker plugin, and so on.

Language packages including Rust, Python, and Golang contributed to critical vulnerabilities in February as well. Among those, Wazuh OSS threat prevention platform evaluates arbitrary Python code to be executed as described in CVE-2025-24016.

The most prevalent weakness in February was Cross-site Scripting (XSS) CWE-79, with a total of 348 instances noticed. Among these were two critical vulnerabilities stemming from MDC Markdown tooling (CVE-2025-24981) and Wattsense Bridge device firmware (CVE-2025-26410). Additional high-severity vulnerabilities were identified in Adobe Commerce Magento Open Source (CVE-2025-24438) and CtrlPanel, an open-source billing software for hosting providers (CVE-2025-25203).

February 2025 also saw a large increase in Out-of-bounds Write (CWE-787) weakness constituting about 49 such cases. Of those, 9 were critical due to D-Link firmware, Mediatek modem UE firmware, Memory safety bugs present in Firefox 134 and Thunderbird 134, and vyper Pythonic Smart Contract Language for the EVM.

In the February newsletter, we explore yet another key trends and insights in the cybersecurity vulnerability landscape. This edition dives into critical vulnerability trends, answers your burning security questions in our “Curiosity Questionnaire of the Month,” and gives an update on the EPSS tracker for 2025 so far. In addition, gain valuable insights into the cutting-edge cybersecurity practices in this month’s newsletter through the following:

  • Discover how MITRE CALDERA™ automates adversary emulation to strengthen your security defenses
  • Learn about the PASTA Threat Modeling Tool and its risk-centric approach to identifying and mitigating potential threats
  • Explore the implications of AI automation in threat hunting, as discussed in IBM Technology’s recent video cast
  • Understand the latest research on Vulnerability Prioritization from the National University of Singapore, enabling more effective security resource allocation

Critical Vulnerabilities – February 2025

Pay attention to these top critical vulnerabilities this month.

CVEDescriptionCVSS 3 BaseEPSS PercentileDate PublishedWeaknessVersions AffectedReferences
CVE-2025-0108An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication.9.10.995662025-02-12CWE-306PAN-OS PAN-OS 10.1.x < 10.1.14-h9 / 10.2.x < 10.2.7-h24 / 11.1.x < 11.1.6-h1 / 11.2.x < 11.2.4-h4https://security.paloaltonetworks.com/CVE-2025-0108 
CVE-2025-0943itsourcecode Tailoring Management System 1.0 in which manipulation of the argument id leads to SQL injection.9.80.542942025-02-01CWE-89, CWE-74v1.0https://github.com/magic2353112890/cve/issues/7 
CVE-2025-1355needyamin Library Card System 1.0 in /signup.php leading to unrestricted upload9.80.701662025-02-16CWE-284, CWE-434v1.0https://www.websecurityinsights.my.id/2025/02/library-card-system-shell-by-maloyroyorko.html 
CVE-2025-24989improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges9.80.851062025-02-19CWE-284N/Ahttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989 
CVE-2025-0994Trimble Cityworks deserialization vulnerability allowing authenticated user to perform a remote code execution on customer’s Microsoft Internet Information Services (IIS) web server.8.80.931522025-02-06CWE-502< 15.8.9https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04
CVE-2025-1538D-Link DAP-1320 function set_ws_action manipulation leads to heap-based buffer overflow.8.80.716122025-02-21CWE-119, CWE-122,CWE-787DAP-1320 1.00https://legacy.us.dlink.com/pages/product.aspx?id=4b2bbe2e3f1d440ea65bc56c7e3dcc5c 
CVE-2025-11891000 Projects Attendance Tracking System in /admin/chart1.php leads to SQL injection.8.80.55212025-02-12CWE-74, CWE-891.0https://github.com/takakie/CVE/blob/main/cve_2.md 
CVE-2025-26465OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server6.82025-02-18CWE-390N / Ahttps://seclists.org/oss-sec/2025/q1/144

February 2025 Vulnerability Trends

Curiosity Questionnaire of the Month

We got asked a number of curious questions during the month, and thought we should share those insights here.

Are there indicators of exploitations in the wild that security engineers can use to scope?

This is a harder research problem because it involves evaluating the overall vulnerability risk using scores such as CVSS, and EPSS, but those are not sufficient. A prediction model encompassing vulnerabilities that correctly identify exploited (true positives) and no omissions (false negatives) or false positives is needed.

In this article “A Visual Exploration of Exploitation in the Wild” by Cyentia, the authors discuss various ways to reliably make such exploitation predictions. 

https://www.cyentia.com/wp-content/uploads/2024/07/EPSS-Exploration-Of-Exploits.pdf (PDF)

Together with scores and EPSS, authors are seen using weakness attributes, vendor CIA metrics, and vendor exploitability percentage to bring about a model that covers exploitation in the wild. Exploit tools and databases such as Metasploit, ExploitDB along with their risk categorization and severity offers a window into such vulnerabilities.

Are there indicators of exploitations in the wild that security engineers can use to scope?

There are several key indicators to detect exploitations in the wild with high confidence. These include Exploit DB, Metasploit, GitHub PoC, Zero-day initiatives, and correlating those to a list of actively exploited CVEs from CISA KEV.

Beyond those, security researchers can use weakness attributes such as CWEs that lend high credibility to identifying active exploitations. For instance, CWE-119 on memory bounds or buffer corruption, CWE-94 on code injection, CWE-89 on SQL injection are some of the core weaknesses to monitor in the environment.

What are some techniques used to scan vulnerabilities in containerized environments such as Docker?

Containerized environments such as Docker and Kubernetes-Docker are popular for easier deployments.. Dockerized environments perform image scanning, runtime security and monitoring, configuration monitoring, and network security filtering.

In the pre-deployment stages, scanners extract OS packages, libraries, and application dependencies and match those against known vulnerability databases, and provide a risk-based scoring for those. Tools such as Aqua Security, Snyk, and Docker security scans provide these functionality.

In scanning such a Dockerized environment, tools must extract software components from the image such as OS packages, language detection such as Python/Node.js, and query to find CVEs affecting those components. Beyond that, tools must ensure that vulnerabilities across various databases, OS/package and other security advisories are taken into account. These must also identify actively exploited vulnerabilities using CISA KEV, and correspondingly map those to MITRE ATT&CK techniques.

How does vulnerability feed intelligence like vFeed find relevance in the AI/ML world?

LLM responses are probabilistic in nature, and heavily depends on critical data sets to train, else security teams chase false positives. Accuracy and deterministic intelligence is very important in dealing with threat intel to avoid chasing wrong leads. This is where high-confidence data sources like vFeed could help. More importantly, LLM dataset provenance, compliance, and data integrity are open risks for enterprise security teams using LLM models and model datasets.

At what stages of incident management workflow are vulnerabilities put into effective use?

It is generally thought that traditional vulnerabilities typically stop at initial access analysis. While classical vulnerabilities are particularly useful for initial access, there are other ways that can be leveraged including: persistence, privilege escalation, lateral movement, and impacts.

Vulnerabilities are used at different stages of an attack lifecycle, depending on their characteristics. Advance MITRE Tactic, like lateral movements, are more important e.g. to discover open permissions, TCP/RDP ports leading to exfiltrations, etc

Initial Access are typically for gaining entries into systems such as public-facing servers, applications using misconfigurations and phishing CVEs.

Privilege Escalations typically involve elevating rights through kernel vulnerabilities, and misconfigured services that may be exploited.

Persistence techniques involve gaining and maintaining access to weak credentials, and could lead to extended periods of exploitation.

Lateral movements may be achieved by utilizing RDP flaws, VPN vulnerabilities, or SMB vulnerabilities to take advantage of service to spread phishing code to remote servers.
Impact types include leveraging Ransomware-related vulnerabilities to cause destruction or exfiltration.

EPSS Tracker in February 2025

EPSS provides two key values for each CVE. The EPSS “probability” suggests the likelihood that a given CVE will be exploited in the next 30 days (a number between 0 and 1). EPSS “percentile” is the ranking of a CVE’s probability relative to all other CVEs in the dataset (a number between 0 and 1). We looked for these metrics among CVEs in February 2025, and found the following two that may be exploitable in the near future.

CVE-2025-0108

An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web    interface and invoke certain PHP scripts.

https://security.paloaltonetworks.com/CVE-2025-0108

https://github.com/becrevex/CVE-2025-0108

EPSS percentile 0.99566, probability: 0.95537

CVE-2025-0994

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04

EPSS percentile 0.93152, probability: 0.05395

CVE-2025-24989

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

EPSS percentile 0.85106, probability: 0.01179

Kubernetes Services Vulnerabilities

CVE-2025-26492 (CVSS3 Base 7.7, EPSS Percentile 0.11721)

In JetBrains TeamCity, improper Kubernetes connection settings could expose sensitive resources, applicable to versions before 2024.12.2.

https://www.tenable.com/plugins/index.php?view=single&id=216236

CVE-2025-0426 (CVSS3 Base 6.2, EPSS Percentile 0.11721)

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node’s disk.

https://github.com/kubernetes/kubernetes/issues/130016

CVE-2025-1146 (CVSS3 Base 6.2, EPSS Percentile 0.11721)

CrowdStrike uses industry-standard TLS to secure communications from the Falcon sensor to the CrowdStrike cloud. CrowdStrike has identified a validation logic error in the Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor where our TLS connection routine to the CrowdStrike cloud can incorrectly process server certificate validation. This could allow an attacker with the ability to control network traffic to potentially conduct a man-in-the-middle (MiTM) attack.

https://www.crowdstrike.com/security-advisories/cve-2025-1146

The MITRE CALDERA™ Automated Testing Framework

MITRE CALDERA is an open-source automated adversary emulation platform designed to help security teams test, assess, and improve their defenses by simulating real-world cyber threats.

Caldera helps cybersecurity professionals reduce the amount of time and resources needed for routine cybersecurity testing.

By leveraging MITRE ATT&CK tactics and techniques, CALDERA automates realistic attack simulations, helping organizations evaluate their detection and response capabilities without manual effort. It integrates with SOC workflows, SIEMs, and EDRs, allowing blue teams to fine-tune detection rules, while red teams can execute automated penetration tests. With modular plugins for adversary simulation, threat hunting, and incident response validation, CALDERA provides a cost-effective and scalable solution for continuously improving cybersecurity defenses.

Caldera specifically empowers security teams to perform:

  • Autonomous Adversary Emulation
  • Evaluation of Detection, Analytic and Response Platforms
  • Automated Red Teaming
  • Continuous Security Validation such as validating SOC detections and response capabilities
  • Threat Hunting & Detection Engineering such as fine-tuned detection rules to observe adversary behavior

For more details, see https://caldera.mitre.org 

PASTA Threat Modeling Tool

PASTA stands for Process for Attack Simulation and Threat Analysis. It is a risk-centric threat modeling method, meaning that risk plays a central role and the focus is on the highest and most relevant risks that can affect your business. Unlike traditional threat modeling, which focuses only on vulnerabilities, PASTA integrates business risks, attack simulation, and security controls to prioritize the most critical threats.

PASTA is typically used by Security Architects, threat hunters, risk analysts, DevSecOps & Application Security Teams to effectively identify critical risks, and prioritize security inspections.

PASTA is structured into 7 for threat modeling & attack simulations.

  • Defining the Objectives – identify key risk assessment, compliance mapping, applications, assets, etc.
  • Defining the Technical Scope – Identify data flows, specific services APIs, cloud, containers, architecture, etc.
  • Decompose the Application – Analyze authentication, privilege escalation risks, map trust boundaries, attack surfaces, etc.
  • Analyze the Threats – Use MITRE ATT&CK, threat intelligence feeds, identify threat actors, etc.
  • Vulnerability Analysis – Use vulnerability databases on SAST, DAST, identify security weaknesses, CVEs, etc.
  • Attack Analysis – Use adversary emulation tools such as MITRE CALDERA, Metasploit, etc. to simulate attack scenarios
  • Risk and Impact Analysis – Identify security investments and focus areas for enterprise security controls

For more details, see https://threat-modeling.com/pasta-threat-modeling 

Is AI Saving or Taking Jobs? Cybersecurity & Automation Impact by IBM Technology

In a recent video cast by IBM Technology on “Is AI Saving or Taking Jobs? Cybersecurity & Automation Impact”, the author discusses key impacts AI could have on cybersecurity.  The author discusses the role of automation of many cybersecurity tasks, and how that could displace those jobs. Specifically, the author discusses the possibility of AI-enabled automated threat hunting and AI Cyber SME that systematically automates by answering the question “Am I affected?” in my underlying environment.

On the threat hunting using AI, the authors intriguingly discuss the possibility of hypotheses that attackers broken into the system could have left behind tools to identify Indicators of Compromise (IoC) which acts as clues that attackers went about that path. This is where the creativity of generative AI could be leveraged to do threat hunting new scenarios that security engineers may not have thought about.

On the Cyber SME that understands the cybersecurity language to answer the question “Am I affected?”, authors discuss a workflow where generative AI could be put to use. The security team is bombarded with several reports, advisories, and exploits on a daily basis that is inundating. The security executive or team is interested in knowing “Am I affected?”

Identifying such impacts involve gathering advisories and exploits, feeding them into the GenAI model to narrow the key findings from reports, subsequently obtaining the key Indicators of Compromise (IoC), and running a federated search in the underlying environment to answer the question “Am I affected?”. As the author observes, this is a very powerful use case of putting the GenAI model to use.

You can view more details at: https://www.youtube.com/watch?v=3sSDQ_wLSzM 

A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Research Challenges, Jiang et al., Feb. 2025

A team of cybersecurity researchers at the National University of Singapore has released an interesting survey paper reviewing about 82 literature 82 studies, introducing a novel

taxonomy that categorizes metrics into severity, exploitability, contextual factors, predictive indicators, and aggregation methods. The study addresses some of the commonly used metrics for vulnerability prioritization, predominant methodologies for prioritizing vulnerabilities, and identifying key challenges and emerging trends.

This article titled “A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Research Challenges”, Jiang et al., Feb. 2025 can be found here: https://arxiv.org/pdf/2502.11070 

One of the most important takeaways from this research is that, it is possible for a team of LLM agents to effectively be deployed to autonomously exploit real-world zero-day vulnerabilities with a greater than 50% success rate in 5 phases. The article lists some of the ACE and RCE vulnerabilities exploited along with various CVEs tackled such as CVE-2024-25635.

Some of their findings included the following:

  • Severity metrics, particularly those based on the Common Vulnerability Scoring System (CVSS), are most prevalent, as expected
  • Current approaches often rely on static models, struggling to integrate real-time threat intelligence
  • There has been a growing trend towards scalable, automated solutions driven by AI and machine learning

May you live in interesting times! 🙂

Click here to schedule your demo with vFeed Threat Intel today!