šŸŽ“ Protect learning with a 30% blocklist bundle discount for Educational Institutions.

Learn more

CrowdSec

VulnTracking Reports
vulntracking report september 2025

CrowdSec VulnTracking Report: September 2025

Welcome to the CrowdSec VulnTracking Report. In these monthly reports, we explore key insights on emerging vulnerabilities and CVE exploitation trends, as spotted by the CrowdSec Network.

In September 2025, we added detection for 55 vulnerabilities and/or exploits to our database, translating them into scenarios for the CrowdSec Security Engine, AppSec rules for the CrowdSec WAF, and updated entries in our CTI.

DataCenter IPs are seven times more likely to be used to exploit known vulnerabilities than residential IPs. 

Out of the tens of millions of IPs that we track every other month, a significant number are residential. According to various sources, more than 90% of all IPs fall into this category, which aligns with expectations.

What We Mean by ā€œResidentialā€

In our case, weā€™re defining residential IPs as IPs attributed to a household via an ISPā€™s broadband/fibre /mobile network, as opposed to IP addresses assigned to a hosting provider, cloud provider, or colocation facility. 

The Numbers Tell the Story

However, while more than 7% of tracked DataCenter IPs are actively (ie, last 15 days) exploiting known vulnerabilities, this number drops to below 1% for residential IPs. Yes, DataCenter IPs are seven times more likely to be used to exploit known vulnerabilities than residential IPs.

Why is that?

First of all, itā€™s much (really a lot) more expensive to use residential IPs, most of which are rented via ā€œresidential proxyā€ providers. 

How much? 

Well, Bright Data (the ā€œbiggestā€ and ā€œmost legitimateā€ Residential Proxy Providersā€”notice the quotes) charges around $4 per GB.Ā 

Secondly, some of those providers perform KYC. Yes, while it might come as a surprise, the biggest names out there (such as Bright Data) are legitimate businesses with a ā€œKnow Your Customerā€ process. They will clearly track potential abuse of their service and revoke customers’ accounts. On the other hand, a vast majority of DataCenter IPs ā€“ especially those on the low-cost end ā€“ completely ignore rampant abuse or even abuse reports.

Vulnerability signatures added to the CrowdSec database in September 2025

  1. WooCommerce Ultimate Gift Card – Arbitrary File Upload (CVE-2024-8425)Ā 
  2. HP OfficeConnect Network Switches – Authentication Bypass (CVE-2022-37932)Ā 
  3. XWiki-Platform – SQLi (CVE-2025-32969)Ā 
  4. FreePBX – SQLi (CVE-2025-57819)Ā 
  5. Cellinx NVT – Path Traversal (CVE-2023-23063)Ā 
  6. GoAnywhere MFT – RCE (CVE-2023-0669)Ā 
  7. MasaCMS – SQLi (CVE-2024-32640)Ā 
  8. Jan – Arbitrary File Read (CVE-2024-36857)Ā 
  9. Memos – XSS (CVE-2024-29029)Ā 
  10. WP Fastest Cache – Arbitrary File Deletion (CVE-2020-36836)Ā 
  11. jQuery File Upload Plugin – RCE (CVE-2014-8739)Ā 
  12. Memos – SSRF (CVE-2024-29028)Ā 
  13. LumisXP – XSS (CVE-2024-33326)Ā 
  14. Opsview Monitor Pro – Path Traversal (CVE-2016-10367)Ā 
  15. Frontend Login and Registration Blocks – Privilege Escalation (CVE-2025-3605)Ā 
  16. Dell EMC iDRAC – RCE (CVE-2018-1207)Ā 
  17. MapSVG – SQLi (CVE-2022-0592)Ā 
  18. Oracle E-Business Suite – RCE (CVE-2025-61882)Ā 
  19. Download Manager – RCE (CVE-2024-11740)Ā 
  20. Memos – SSRF (CVE-2024-29030)Ā 
  21. FortiSIEM – RCE (CVE-2025-25256)Ā 
  22. Profile Builder Plugin – Authentication Bypass (CVE-2021-24527)Ā 
  23. Images to WebP – Local File Inclusion (CVE-2021-24644)Ā 
  24. D-Link – Information Disclosure (CVE-2020-25078)Ā 
  25. Pivotal Spring Data REST and Spring Boot – RCE (CVE-2017-8046)Ā 
  26. FortiWeb – Authentication Bypass (CVE-2025-52970)Ā 
  27. Ultimate FAQs Plugin – XSS (CVE-2019-17233)Ā 
  28. Eclipse Jetty – Information Disclosure (CVE-2021-28169)Ā 
  29. Frontend File Manager Plugin – Authentication Bypass (CVE-2022-3124)Ā 
  30. Photo Gallery by 10Web Mobile-Friendly Image Gallery – SQLi (CVE-2022-0169)Ā 
  31. ND Booking – Authentication Bypass (CVE-2019-15774)Ā 
  32. XWiki-Platform – Open Redirect (CVE-2025-32970)Ā 
  33. XWiki-Platform – SQLi (CVE-2025-32429)Ā 
  34. TP-Link – RCE (CVE-2023-33538)Ā 
  35. XWiki-Platform – Information Disclosure (CVE-2025-46554)Ā 
  36. Rank Math Plugin – Redirect Creation (CVE-2020-11515)Ā 
  37. NetAlertX – Authentication Bypass (CVE-2024-46506)Ā 
  38. Hunk Companion – Missing Authorization (CVE-2024-11972)Ā 
  39. XWiki-Platform – Information Disclosure (CVE-2025-29925)Ā 
  40. MagicINFO 9 Server – Path Traversal (CVE-2025-4632)Ā 
  41. Linear eMerge E3-Series – SQLi (CVE-2022-38627)Ā 
  42. Letta – RCE (CVE-2025-51482)Ā 
  43. XWiki-Platform – RCE (CVE-2024-21650)Ā 
  44. Skyvern – RCE (CVE-2025-49619)Ā 
  45. SmartDataSoft SmartBlog for PrestaShop – SQLi (CVE-2021-37538)Ā 
  46. MikoPBX – Path Traversal (CVE-2025-52207)Ā 
  47. Contact Form Plugin – Authorization Bypass (CVE-2024-2782)Ā 
  48. Ivanti Connect Secure – RCE (CVE-2025-22457)Ā 
  49. LiteSpeed Cache – Privilege Escalation (CVE-2024-28000)Ā 
  50. Popup Builder – XSS (CVE-2023-6000)Ā 
  51. MCP Inspector – Authentication Bypass (CVE-2025-49596)Ā 
  52. Vitogate 300 Firmware – RCE (CVE-2023-45852)Ā 
  53. Unity – RCE (CVE-2025-36604)Ā 
  54. SAP NetWeaver – Arbitrary File Upload (CVE-2025-42922)Ā 
  55. Rank Math Plugin – Privilege Escalation (CVE-2020-11514)Ā 

WRITTEN BY