We are excited to launch our latest series, the CrowdSec VulnTracking Reports. In these monthly reports, we will be exploiting key insights on emerging vulnerabilities and CVE exploitation trends, as spotted by the CrowdSec Network.
In March 2025, we added detection for 34 vulnerabilities and/or exploits to our database — translating into scenarios for the CrowdSec Security Engine, appsec rules for the CrowdSec WAF, and updated entries in our CTI.
The acceleration of the adoption allows us to be increasingly efficient at identifying and surfacing vulnerabilities being exploited in the wild.
While much of this has been happening under the radar, the CrowdSec team values transparency above all else and we decided to communicate our findings with the rest of the world.
Without further ado, let’s jump into the key insights for the March 2025 CrowdSec VulnTracking Report.
Expectation vs. reality
One of the things that struck us while working on this month’s report was the discrepancies between the press coverage a vulnerability receives and the actual interest malicious actors show in these vulnerabilities.
For example, two vulnerabilities that have been getting much coverage recently are CVE-2024-55591 and CVE-2024-13159. The fact that FortiOS, Ivanti — or other firewalls and VPN vendors — have been getting a lot of heat and attention recently might not be unrelated, but the results are here:
- CVE-2024-55591: FortiOS authentication bypass. While more than 500 IPs are actively scanning for this vulnerability, over 90% of the IPs are legitimate and belong to organizations such as ShadowServer.
- CVE-2024-13159: Ivanti Information leak. Currently seeing very little real-life attention with less than a hundred IPs actively scanning.
On the other hand, some significantly older vulnerabilities can gain a second breath and gather a surprising amount of attention from malicious actors.
- CVE-2021-43798, a path traversal vulnerability in Grafana, has over ten thousand distinct IPs scanning for it this week alone. As VulnCheck reported, that vulnerability was disclosed just before the log4shell hysteria, and three years later, nearly 10% of exposed systems are still unpatched.
- CVE-2019-17538, a path traversal in Jiangnan Online Judge, while significantly less popular (around 130 IPs were scanning for it this week), has regained popularity over the last month.
Vulnerability signatures added to the CrowdSec database in March 2025
- CVE-2021-41773: Apache Software Foundation Apache HTTP Server vulnerability.
- CVE-2021-43798: grafana vulnerability.
- CVE-2024-55591: Fortinet FortiOS vulnerability.
- CVE-2021-44529: Ivanti EPM vulnerability.
- CVE-2024-48248: NAKIVO Backup & Replication vulnerability.
- CVE-2023-30625: rudderlabs rudder-server vulnerability.
- CVE-2024-46507: Yeti vulnerability.
- CVE-2024-57727: SimpleHelp path traversal.
- CVE-2012-3153: Oracle Fusion path traversal.
- CVE-2019-17538: Directory traversal vulnerability in jnoj.
- CVE-2013-3827:Local File Inclusion (LFI) vulnerabilities in Oracle Fusion.
- CVE-2024-7097: WS02 User signup.
- CVE-2023-4220: Chamilo vulnerability.
- CVE-2024-5082: Sonatype Nexus Repository vulnerability.
- CVE-2024-13159: Ivanti Endpoint Manager vulnerability.
- CVE-2024-32737: CyberPower PowerPanel Enterprise vulnerability.
- CVE-2025-24893: xwiki-platform vulnerability.
- CVE-2022-43939: Hitachi Vantara Pentaho Business Analytics vulnerability.
- CVE-2019-10232: GLPI SQL Injection.
- CVE-2022-25488: Atom CMS SQL Injection.
- CVE-2022-41412: PerfSONAR SSRF.
- CVE-2023-48728: WWBN AVideo vulnerability.
- CVE-2024-8877: Riello Netman 204 vulnerability.
- CVE-2020-22208: 74CMS SQL Injection.
- CVE-2017-12637: SAP NetWeaver Directory Traversal.
- CVE-2022-0434: Page View Count SQL injection.
- CVE-2024-46982: vercel next.js vulnerability.
- CVE-2023-24489: Citrix ShareFile Storage vulnerability.
- CVE-2025-29927: vercel next.js vulnerability.
- CVE-2025-24813: Apache Software Foundation Apache Tomcat vulnerability.
- CVE-2024-12105: Progress Software Corporation WhatsUp Gold vulnerability.
- CVE-2024-9047: nickboss WordPress File Upload vulnerability.
- CVE-2024-56064: Azzaroco WP SuperBackup vulnerability.
- CVE-2023-25826: OpenTSDB vulnerability.