vFeed Newsletter March 2025

Posted on March 31, 2025

vFeed Inc.

Welcome to vFeed March 2025 edition of Cybersecurity and Vulnerability Newsletter.

March presented a greater challenge to security professionals. We saw a significant increase in the number of published vulnerabilities (2,620) compared to February (1,593). We also observed several older vulnerabilities being exploited, especially on privilege escalation attacks. The number of critical vulnerabilities – those with a critical score of 9.0 or higher – rose even sharper to 187 in March compared to 129 in February, several of them with a 10.0 score. Starting March, vFeed threat intel has incorporated CVSS4 risk scoring metrics to our feed. In March, we identified CVSS4 risk score reporting numbers jumped to 141, the largest we have seen so far.

In March 2025, critical vulnerabilities across major OS, platforms, languages highlighted the evolving security landscape and the importance of proactive defense in enterprises. Microsoft addressed 57 vulnerabilities, including 6 critical remote code execution flaws and 7 zero-days, with exploitation often targeting privilege escalation and malicious file execution. WordPress plugins continued to be a major attack vector, with vulnerabilities ranging from SQL injection attack to remote code execution, and authentication bypass, threatening overall website security. Kubernetes clusters faced severe risks, including cluster-wide compromise through flaws like unauthenticated access in the Ingress NGINX Controller. Apple iOS and Darwin Go were also impacted by sandbox bypass and privilege escalation vulnerabilities, respectively, underscoring risks in mobile and runtime environments. These trends emphasize the need for timely patching, strict access controls, and enhanced monitoring to mitigate emerging threats.

Several critical vulnerabilities in WordPress plugins were identified, exposing websites to significant security risks. In CVE-2025-0177, the Javo Core plugin allowed unauthenticated attackers to escalate privileges by creating accounts with administrator roles, potentially leading to full site takeover. In CVE-2025-0180, the WP Foodbakery plugin exposed multiple functions to unauthorized access, enabling attackers to delete files, modify settings, and perform other malicious actions. In CVE-2025-0308, the Ultimate Member plugin revealed flaws in user registration and profile management, which could be exploited for privilege escalation or unauthorized access. Lastly, CVE-2025-0316 in the WP Directorybox Manager plugin enabled authentication bypass, allowing attackers to gain access without proper credentials. Threat actors leveraged mu-plugins to inject malware and hijack site images, exploiting vulnerabilities like CVE-2024-27956 (SQL injection in WordPress Automatic Plugin), and CVE-2024-4345 (unauthenticated file upload in Startklar Elementor Addons). Other notable issues included CVE-2025-1232 (stored XSS in Site Reviews plugin), CVE-2025-1770 (local file inclusion in Eventin plugin), and flaws in plugins like WP Contact Form III and WP Featured Entries, which remain unpatched. Administrators are urged to update plugins promptly, monitor for suspicious activity, and implement robust security measures to mitigate these risks. As always, web administrators are urged to update these plugins immediately and implement strict access controls to mitigate risks.

As part of updates, Microsoft addressed 57 vulnerabilities, including seven zero-days and six critical flaws, emphasizing the ongoing challenging threat landscape in Microsoft platforms. The vulnerabilities spanned multiple categories, with 23 elevation of privilege (EoP) and 23 remote code execution (RCE) flaws being the most prevalent. Notable zero-days included CVE-2025-24983 (Win32 Kernel Subsystem EoP), CVE-2025-24993 (NTFS heap-based buffer overflow), and CVE-2025-26633 (Microsoft Management Console security bypass). Critical RCE vulnerabilities like CVE-2025-24035 and CVE-2025-24045 in Windows Remote Desktop Services were also patched. In these attacks, exploitation relied on social engineering or malicious files, underscoring the importance of user awareness and timely patching.

A critical vulnerability in Apache Tomcat (CVE-2025-24813) was discovered affecting versions 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2. This exploits path equivalence and deserialization flaws, which were not known in the past, potentially enabling remote code execution (RCE). Attackers upload malicious files via HTTP PUT requests and trigger deserialization to execute payloads. Exploitation requires specific configurations, such as enabled file-based session storage and writable directories.

In popular programming language packages such as Python and PHP, several critical vulnerabilities were discovered during the month. In Python, CVE-2025-0938 affected the python-min package, causing improper URL parsing that could lead to security issues in applications relying on these functions. Additionally, CVE-2025-27607 highlighted a flaw in another Python package, allowing attackers to exploit filename controls for inclusion statements. For PHP, multiple vulnerabilities were reported, including CVE-2024-55417, CVE-2024-55416, and CVE-2024-55415 in the Voyager package, enabling remote code execution, XSS attacks, and file manipulation.

CWE weaknesses were observed across platforms but focussed on specific weaknesses in March. CWE-79 (Cross-Site Scripting) remained the most common, particularly in web applications like WordPress plugins and email systems. Other significant weaknesses included CWE-707 (Improper Neutralization), which affected Microsoft Management Console vulnerabilities, leading to privilege escalation and bypassing security features. CWE-20 (Improper Input Validation) was widely exploited in various software, including NTFS and FAT file systems, and Python libraries causing issues like heap-based buffer overflows and integer overflows. Additionally, CWE-94 (Code Injection) and CWE-502 (Deserialization of Untrusted Data) were noted in PHP packages and other web technologies. These weaknesses highlight the need for robust input validation, timely patching, and secure coding practices to mitigate risks effectively.

In our March newsletter, we explore several intriguing key trends and insights in the cybersecurity vulnerability landscape. This edition dives into critical vulnerability trends, answers your burning security questions in our “Curiosity Questionnaire of the Month,” and gives an update on the EPSS tracker for 2025 so far. In addition, gain valuable insights into the cutting-edge cybersecurity practices in this month’s newsletter through the following:

Discover and learn about MITRE ENGAGE Advisory Engagement Framework for adversary engagement
Understand how AI is strengthening security and zero trust systems by IBM security professionals
Learn and apply techniques about identifying and calculating risks using NIST 800-30 Framework
Understand the latest research on AI-based vulnerability management, and the gaps between industry and academia by cybersecurity researchers

Critical Vulnerabilities – March 2025

Pay attention to these top critical vulnerabilities this month.

CVE	Description	CVSS 3 Base	EPSS Percentile	Date Published	Weakness	Versions Affected	References
CVE-2025-0912	Donations Widget plugin for WordPress is vulnerable to PHP Object Injection	9.8	79.55%	2025-03-04	CWE-502 (Deserialization of Untrusted Data)	<= 3.19.4	https://www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547c
CVE-2025-22954	GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection	10.0	42.38%	2025-03-12	CWE-89 (SQL Injection)	< 24.11.02	https://koha-community.org/koha-24-11-02-released
CVE-2025-0177	Javo Core plugin for WordPress is vulnerable to privilege escalation	9.8	17.02%	2025-03-08	CWE-269 (Improper Privilege Management)	<= 3.0.0.080	https://www.wordfence.com/threat-intel/vulnerabilities/id/7d636768-37b4-4343-9028-30e7b1f997f2
CVE-2025-1770	Eventin plugin for WordPress vulnerable to Local File Inclusion, used to bypass access controls, obtain sensitive data, or achieve code execution	8.8	38.43%	2025-03-20	CWE-22 (Path Traversal)	<= 4.0.24	https://www.wordfence.com/threat-intel/vulnerabilities/id/5f24baee-7003-449b-9072-d95fa1e26c8f
CVE-2025-0316	WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass	9.8	23.84%	2025-02-08	CWE-288 (Authentication Bypass Using an Alternate Path or Channel)	<= 2.5	https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-directorybox-manager/wp-directorybox-manager-25-authentication-bypass
CVE-2025-27607	Python JSON Logger vulnerable to RCE through a missing dependency	8.8	67.19%	2025-03-07	CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)	>=3.2.0, <=3.2.1	https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24
CVE-2025-24035	Sensitive data storage in improperly locked memory in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network	8.1	39.45%	2025-03-11	CWE-591 (Sensitive Data Storage in Improperly Locked Memory)	Windows 11, Server, 2008 R2, etc.	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24035

March 2025 Vulnerability Trends

Curiosity Questionnaire of the Month

We got asked a number of curious questions during the month, and thought we should share those insights here.

What are some typical elements in enterprise vulnerability management workflow?

1) Discovery

Asset discovery mapping hardware, software, network, storage elements
Identify vulnerabilities through scanning tools, vendor advisories, and threat intelligence feeds

2) Assessment and Categorization

Analyze vulnerabilities based on severity, exploitability, underlying environment, and potential business impacts such as financial or exposure
Use external third party tools CISA advisories, GitHub exploits, threat analysis engines to Enrich vulnerability data
Keep track of inventory along with versioning used in assets

3) Prioritization

Identify risk-based elements that support enterprise prioritization
Evaluate factors including scores, criticality, exploitability, versioning, etc
Revisit and readjust priorities based on evolving threat intel and exploit trends

4) Remediation

Identify remediation workflow for streamlining, patching, and configuration management changes e.g. GitOps workflow
Apply, automate, and ensure patching on relevant pieces of software, assets, etc.
Ensure to address critical and 0-days initially
Automate and verify effectiveness of remediation efforts through follow-up scans or tests
Improve processes and detect any new vulnerabilities introduced during remediation

6) Reporting and Compliance

Document all vulnerability management activities in detailed reports for internal stakeholders and compliance purposes.
Use reporting to analyze trends, measure effectiveness (e.g., MTTR), and forecast potential future risks

Are there open exploitability datasets to scan and understand exploitability?

OpenVEX is an implementation of VEX within the OpenSSF. It provides tooling for software projects to create and manage VEX documents. The project focuses on solving the challenges that hinder VEX adoption, such as document handling, identifier matching, and integration with scanners.

Vulnerability Exploitability eXchange (VEX) is a comprehensive framework designed to facilitate information regarding vulnerabilities and exploitability. VEX helps organizations prioritize vulnerabilities more effectively. VEX is a machine-processed document delivery that tells operators whether a particular vulnerability actually affects a specific product in the context of an implementation.

VEX is designed to work well with existing software bills of materials (SBOMs) to be most effective. SBOMs typically list the components, service, and other versions of a software product. By integrating SBOMs with vulnerability status information, operators can identify targeted products, and versions to remediate them.

Using the information in VEX, along with SBOMs, one may ask questions such as “Is any specific CVE actually present in the product?”, or “Given this product and version, is it exploitable in this configuration?”, etc.

How can security service providers act quickly to identify and alert on vulnerabilities?

Security service providers must prioritize and optimize vulnerability alerting workflows prior in order to react swiftly to emerging threats and zero-days. Services can start by automating real-time ingestion of feeds from NVD, CISA KEV, vendor advisories, and exploit databases. Ensure to sync threat intel feeds often. Security service providers can enhance relevance by integrating VEX documents, filtering out non-exploitable vulnerabilities.

Prioritize alerts using CVSS, EPSS, and exploit status to focus on actionable risks. Build automated pipelines that trigger immediate notifications via email, Slack, or other SIEMs when critical CVEs with confirmed exposure are detected. Implement a fast, indexed matching engine (e.g., SQLite or Elastic) and build lightweight rule engines to define alert thresholds and delivery logic. Maintain asset- or service-level graphs for each customer to support impact-scoped notifications. Consider enabling customer subscriptions to specific risk categories for more targeted alerts. By automating this end-to-end process—from feed ingestion to scoped notification—security providers can cut alerting time from days to minutes, improve customer response, and strengthen overall threat posture.

What are “silently patched vulnerabilities”?

Silently patched vulnerabilities are those vulnerabilities fixed by vendors without a prior CVE assignment, and this could pose a serious risk because they fly under the radar of most traditional vulnerability management systems.

Here are some ways to identify Silently patched vulnerabilities:

Monitor vendor software changelogs, release notes
Study recent exploit/PoC repositories
Social community feeds, Crowdsourced & Community Intel
Threat intel Feeds along with references to patch coverage such as Zero-Days
Vendor profiling by tracking vendors that silently fix

How can enterprises use AI/ML to reduce false positives in vulnerability scanners?

Enterprises can significantly reduce false positives in vulnerability scanners by integrating AI/ML into their security workflows. The key is to use context-aware filtering, and modifying models to use feedback loops to retrain the ML vulnerability models.

First, apply context-aware filtering using AI to assess whether a vulnerability is exploitable in your specific environment by combining data from asset inventories, network exposure, and exploitability metrics like EPSS or CISA KEV. Next, use supervised learning models trained on historical triage decisions to suppress recurring false positives and adapt prioritization to your environment over time. Incorporate code and binary analysis to detect whether vulnerable code paths are actually reachable or used in runtime, which helps differentiate between theoretical and real risks. Leverage NLP to analyze vendor advisories, changelogs, and VEX documents to determine if vulnerabilities are applicable or already mitigated. One could build graph-based risk models to map vulnerabilities in the context of critical assets, user access, and attack paths. Finally, correlate scanner alerts with behavioral data from runtime tools like EDR or RASP to validate whether an alert indicates real-world exploitability. These steps not only reduce alert fatigue but also improve focus, remediation speed, and trust in the vulnerability management process. By continuously learning from data and adapting to operational context, AI-driven systems can turn noisy scanner outputs into accurate, actionable insights.

EPSS Tracker in March 2025

EPSS provides two key values for each CVE. The EPSS “probability” suggests the likelihood that a given CVE will be exploited in the next 30 days (a number between 0 and 1). EPSS “percentile” is the ranking of a CVE’s probability relative to all other CVEs in the dataset (a number between 0 and 1). We looked for these metrics among CVEs in March 2025, and found the following two that may be exploitable in the near future.

CVE-2025-24813

https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

EPSS percentile 0.99472, probability: 0.88451

CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.

https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

EPSS percentile 0.99206, probability: 0.83133

CVE-2025-1661

The HUSKY Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the ‘template’ parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other file types can be uploaded and included.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-products-filter/husky-products-filter-professional-for-woocommerce-1365-unauthenticated-local-file-inclusion

EPSS percentile 0.99206, probability: 0.83133

Kubernetes Services Vulnerabilities

CVE-2025-29922 (CVSS3 Base 9.6, EPSS Percentile 4.22%)

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0.

https://github.com/kcp-dev/kcp/security/advisories/GHSA-w2rr-38wv-8rrp

CVE-2025-2241 (CVSS3 Base 8.2, EPSS Percentile 5.61%)

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

https://access.redhat.com/security/cve/CVE-2025-2241

CVE-2025-29781 (CVSS3 Base 6.2, EPSS Percentile 11.72%)

The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1 and 0.9.1, an adversary Kubernetes account with only namespace level roles (e.g. a tenant controlling a namespace) may create a `BMCEventSubscription` in his authorized namespace and then load Secrets from his unauthorized namespaces to his authorized namespace via the Baremetal Operator, causing Secret Leakage.

https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq

The MITRE ENGAGE^TM Advisory Engagement Framework

MITRE Engage™ emerged as an evolution of MITRE’s work in cyber deception and adversary engagement, building on nearly a decade of internal research and collaboration with the defense and intelligence communities. It was publicly launched by MITRE in 2021 as a complementary framework to MITRE ATT&CK, but with a different goal: rather than just mapping adversary behavior, Engage helps organizations proactively influence, delay, or collect intelligence on attackers.

Originally termed as MITRE Shield project — Engage consolidates practical knowledge about using deception technologies, honeypots, and strategic engagement tactics into a structured matrix similar to ATT&CK.

MITRE Engage is designed for:

Blue teams and threat hunters building active defense playbooks
Red teams and adversary emulation teams planning realistic attack scenarios
Threat intelligence analysts studying attacker behavior via engagement telemetry
CISOs and architects looking to incorporate cyber deception into risk mitigation

It is especially valuable for sectors with high-value assets (e.g., government, critical infrastructure, financial services) who want to go beyond detection and take control of adversary interactions.

For more details, see https://engage.mitre.org/

How is AI Strengthening Zero Trust?

The article was authored by Aparna Achanta, Principal Security Architect, IBM, and published recently in 2025.

The article uncovers some powerful key findings in zero-trust using AI. The author argues that security tools struggle to keep up with AI-powered cyberattacks, making Zero Trust architectures increasingly important. AI and automation enhances and strengthens Zero Trust by automating threat response, adapting access controls in real-time, and analyzing behavior to detect anomalies. However, organizations need to adopt AI-powered solutions within their Zero Trust frameworks for continuous analysis, authentication, and access management to effectively combat modern cyber threats. Regular training of AI models is also essential.

Because attackers utilize AI and genAI to generate exploits, integrating AI into Zero Trust is crucial to detect and neutralize sophisticated threats like AI-powered phishing. Furthermore, dynamic adjustment to user access based on risk assessments, incorporating factors like location, device security, and behavior are common, and hence the need to frequently reassess risks and priorities, and enable Just-in-Time (JIT) and Just-Enough-Access (JEA) principles.

For more details, see https://cloudsecurityalliance.org/blog/2025/02/27/how-is-ai-strengthening-zero-trust

Calculating Risks using NIST 800-30 Framework

The NIST 800-30 framework provides a structured approach to assessing security risks by focusing on the interplay among threats, vulnerabilities, impacts, and likelihood. One of the key elements is evaluating the likelihood of threat events, which refers to the probability that a given vulnerability will be exploited, resulting in an adverse impact. In Section 2.3.1 of the guide, this is described as the “Threat Event Likelihood”, a combination of adversary intent, capability, and the effectiveness of existing controls. Importantly, this is not a purely statistical probability but a qualitative judgment based on observable indicators and informed assumptions.

NIST recommends assigning likelihood scores on a qualitative scale from 0 to 100, which can then be grouped into tiers such as: Low (0–30), Moderate (31–70), and High (71–100). This scoring reflects how plausible a threat event is, considering both known adversary behavior and the exposure of the asset in question.

Risk is calculated by combining this likelihood score with the potential impact of a successful exploitation. Impact itself can also be quantified using organizational values (financial loss, operational disruption, legal penalties, etc.), allowing a risk matrix or risk score to be generated for prioritization. This method helps decision-makers focus on the most critical threats by balancing evidence, adversary posture, and consequence. The NIST 800-30 framework is particularly useful because it supports both qualitative and semi-quantitative models, enabling organizations of all maturity levels to implement practical, defensible risk assessments aligned with federal and industry best practices.

NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments

https://csrc.nist.gov/pubs/sp/800/30/r1/final

Bridging the Gap: A Study of AI-based Vulnerability Management between Industry and Academia, Wan et al., May 2024

Cybersecurity researchers investigate the disconnect between academic research and industry adoption of AI in software vulnerability management. In this research manuscript titled “Bridging the Gap: A Study of AI-based Vulnerability Management between Industry and Academia” The article was published in IEEE/IFIP International Conference on Dependable Systems and Networks, Industry Track in May 2024. The authors specifically discuss the challenges faced in Vulnerability Assessment, Vulnerability Repair and Security Training. The authors propose AI opportunities including AI for each of those, and show that AI models promise in outperforming traditional static analysis tools, the industry remains hesitant. Through discussions and observations, the authors identify three main barriers: complicated requirements for scalability and prioritization, limited customization flexibility, and unclear financial implications. The study also notes that research is hindered by a lack of real-world security data and expertise. The authors propose future directions to better align research with industry needs, improve the usability of AI-based security vulnerability research, and foster collaboration between industry and academia.

This article titled “Bridging the Gap: A Study of AI-based Vulnerability Management between Industry and Academia”, Wan et al., Mar. 2024 can be found here: https://arxiv.org/pdf/2405.02435

Some of their findings included the following:

Challenges in research limitations: Academic research in vulnerability management is significantly hindered by the lack of extensive real-world security data and expertise, which impacts the practical applicability of the models. Real-time feed data that are kept up-to-date and correlated across sources are harder to find.
Barriers in industry adoption: limited customization of vulnerability management data and models, unclear financial implications, and complex scaling and prioritization requirements act as significant industry barriers
Minding the gaps between research and practice: Despite AI-based models showing promising results in outperforming traditional static analysis tools for vulnerability management, the industry remains cautious about integrating these techniques into their security workflows

May you live in interesting times! 🙂

Click here to schedule your demo with vFeed Threat Intel today!