Explore The Next Frontier in Cyber Threats and Defense Evolution!

Download ebook

CrowdSec

CrowdSec Blog
crowdsec vulntracking report march 2025

CrowdSec VulnTracking Report: March 2025

We are excited to launch our latest series, the CrowdSec VulnTracking Reports. In these monthly reports, we will be exploiting key insights on emerging vulnerabilities and CVE exploitation trends, as spotted by the CrowdSec Network.

In March 2025, we added detection for 34 vulnerabilities and/or exploits to our database — translating into scenarios for the CrowdSec Security Engine, appsec rules for the CrowdSec WAF, and updated entries in our CTI

The acceleration of the adoption allows us to be increasingly efficient at identifying and surfacing vulnerabilities being exploited in the wild. 

While much of this has been happening under the radar, the CrowdSec team values transparency above all else and we decided to communicate our findings with the rest of the world. 

Without further ado, let’s jump into the key insights for the March 2025 CrowdSec VulnTracking Report.

Expectation vs. reality

One of the things that struck us while working on this month’s report was the discrepancies between the press coverage a vulnerability receives and the actual interest malicious actors show in these vulnerabilities. 

For example, two vulnerabilities that have been getting much coverage recently are  CVE-2024-55591 and CVE-2024-13159. The fact that FortiOS, Ivanti — or other firewalls and VPN vendors — have been getting a lot of heat and attention recently might not be unrelated, but the results are here:

  • CVE-2024-55591: FortiOS authentication bypass. While more than 500 IPs are actively scanning for this vulnerability, over 90% of the IPs are legitimate and belong to organizations such as ShadowServer.
  • CVE-2024-13159: Ivanti Information leak. Currently seeing very little real-life attention with less than a hundred IPs actively scanning.

On the other hand, some significantly older vulnerabilities can gain a second breath and gather a surprising amount of attention from malicious actors.

  • CVE-2021-43798, a path traversal vulnerability in Grafana, has over ten thousand distinct IPs scanning for it this week alone. As VulnCheck reported, that vulnerability was disclosed just before the log4shell hysteria, and three years later, nearly 10% of exposed systems are still unpatched.
  • CVE-2019-17538, a path traversal in Jiangnan Online Judge, while significantly less popular (around 130 IPs were scanning for it this week), has regained popularity over the last month.

Vulnerability signatures added to the CrowdSec database in March 2025

  1. CVE-2021-41773: Apache Software Foundation Apache HTTP Server vulnerability.
  2. CVE-2021-43798: grafana vulnerability.
  3. CVE-2024-55591: Fortinet FortiOS vulnerability.
  4. CVE-2021-44529: Ivanti EPM vulnerability.
  5. CVE-2024-48248: NAKIVO Backup & Replication vulnerability.
  6. CVE-2023-30625: rudderlabs rudder-server vulnerability.
  7. CVE-2024-46507: Yeti vulnerability.
  8. CVE-2024-57727: SimpleHelp path traversal.
  9. CVE-2012-3153: Oracle Fusion path traversal.
  10. CVE-2019-17538: Directory traversal vulnerability in jnoj.
  11. CVE-2013-3827:Local File Inclusion (LFI) vulnerabilities in Oracle Fusion.
  12. CVE-2024-7097: WS02 User signup.
  13. CVE-2023-4220: Chamilo vulnerability.
  14. CVE-2024-5082: Sonatype Nexus Repository vulnerability.
  15. CVE-2024-13159: Ivanti Endpoint Manager vulnerability.
  16. CVE-2024-32737: CyberPower PowerPanel Enterprise vulnerability.
  17. CVE-2025-24893: xwiki-platform vulnerability.
  18. CVE-2022-43939: Hitachi Vantara Pentaho Business Analytics vulnerability.
  19. CVE-2019-10232: GLPI SQL Injection.
  20. CVE-2022-25488: Atom CMS SQL Injection.
  21. CVE-2022-41412: PerfSONAR SSRF.
  22. CVE-2023-48728: WWBN AVideo vulnerability.
  23. CVE-2024-8877: Riello Netman 204 vulnerability.
  24. CVE-2020-22208: 74CMS SQL Injection.
  25. CVE-2017-12637: SAP NetWeaver Directory Traversal.
  26. CVE-2022-0434: Page View Count SQL injection.
  27. CVE-2024-46982: vercel next.js vulnerability.
  28. CVE-2023-24489: Citrix ShareFile Storage vulnerability.
  29. CVE-2025-29927: vercel next.js vulnerability.
  30. CVE-2025-24813: Apache Software Foundation Apache Tomcat vulnerability.
  31. CVE-2024-12105: Progress Software Corporation WhatsUp Gold vulnerability.
  32. CVE-2024-9047: nickboss WordPress File Upload vulnerability.
  33. CVE-2024-56064: Azzaroco WP SuperBackup vulnerability.
  34. CVE-2023-25826: OpenTSDB vulnerability.

WRITTEN BY

You may also like

how can an attacker execute malware through script
Vulnerabilities

How Can an Attacker Execute Malware through a Script

Learn how script-based attacks work, why it is difficult for traditional antivirus software to detect them, and how to properly detect and mitigate this threat.

Detect and Block Exploitation Attempts of the CVE-2024-4577 PHP-CGI Argument Injection Vulnerability
Vulnerabilities

Detect and Block Exploitation Attempts of the CVE-2024-4577 PHP-CGI Argument Injection Vulnerability

Explore the latest CVE-2024-4577 PHP-CGI Argument Injection vulnerability and learn how to detect and block malicious IPs attempting to exploit it.

Investigating Exploit Attacks of the D-Link NAS CVE-2024-3273 Vulnerability
Vulnerabilities

Investigating Exploit Attacks of the D-Link NAS CVE-2024-3273 Vulnerability

The CVE-2024-3273 exploit for D-Link NAS devices is being used aggressively by botnets hijacking IoT devices. Learn more about this exploit and how to block it.