Welcome to the CrowdSec VulnTracking Report. In these monthly reports, we explore key insights on emerging vulnerabilities and CVE exploitation trends, as spotted by the CrowdSec Network.
In July 2025, we added detection for 35 vulnerabilities and/or exploits to our database, translating them into scenarios for the CrowdSec Security Engine, AppSec rules for the CrowdSec WAF, and updated entries in our CTI.
Summer is finally here! Nice weather, barbecues, Citrix RCEs, and your usual Fortinet SQLi.
When looking at recent high-profile vulnerabilities, we noticed a steep increase in ephemeral scanning infrastructures, especially those targeting more “enterprise” software or appliances.
Ephemeral scanning infrastructures are attackers’ deployed or rented machines, purposely set up to exploit a specific vulnerability.
We noticed that those infrastructures are usually rented machines from significant VPS or cloud providers rather than compromised machines.
Most important is how fast they came up with (seemingly) weaponized exploits for which, at best, only technical write-ups are available. In the examples we’re looking at today, those attackers began scanning for exploitation within less than 24 hours of the write-up or PoC publication.
For example, looking at Fortinet’s CVE-2025-25257, we spotted a handful of IPs that started scanning on July 11th, the same day the technical write-up by WatchTowr appeared, and immediately stopped within less than 24 hours (for example, 54.161.201.250 or 3.82.158.84).
The same pattern appeared with CVE-2025-5777, with IPs starting activity on the same day as the PoC publication and going dark within 72 hours.
While we can only speculate about the intent of the actors controlling those machines, the speed of execution is somehow impressive. The short-lived factors, combined with the fact that they are not aiming at “scanning the whole internet,” make them a lot harder to catch unless you have a big enough network!
Our main takeaway is that blocklists (blocking 90% of scanning at a large scale) and threat feeds (which would contain “lower confidence” indicators) work best when used together.
Vulnerability signatures added to the CrowdSec database in July 2025
- CVE-2024-50334: Scoold – Authentication Bypass
- CVE-2025-32815: Infoblox NetMRI – Authentication Bypass
- CVE-2022-23397: Cedar Gate EZ-NET portal – XSS
- Infinitt PACS System – Arbirary File Upload
- CVE-2023-49230: Peplink – Missing Authorization
- Citrix Probing
- CVE-2015-2280: AirLink101 SkyIPCam1620W – RCE
- CVE-2025-2264: Sante PACS Server – Path Traversal
- CVE-2019-9194: elFinder – RCE
- CVE-2024-36675: LyLme_spage – SSRF
- CVE-2025-48827: vBulletin – Authentication Bypass
- CVE-2024-9007: 123solar – XSS
- CVE-2020-0688: Microsoft Exchange Server – Authentication Bypass
- CVE-2025-32814: Infoblox – SQLi
- CVE-2022-36804: Bitbucket Server – RCE
- CVE-2025-47812: Wing FTP Server – RCE
- CVE-2024-29198: GeoServer – SSRF
- CVE-2025-32813: Infoblox NETMRI – RCE
- CVE-2025-41646: Revolution Pi webstatus – Authentication Bypass
- CVE-2024-11587: idcCMS – XSS
- HP iLO – Serial Key Scanning
- CVE-2025-25257: Fortinet FortiWeb Fabric Connector – SQLi
- CVE-2025-49493: CloudTest – XXE
- CVE-2020-9547: FasterXML – RCE
- CVE-2025-6216: Allegra – Authentication Bypass
- CVE-2021-21978: VMware View Planner – RCE
- CVE-2025-52488: Dnn.Platform – Information Disclosure
- CVE-2025-2712: UFIDA ERP-NC – XSS
- CVE-2025-34141: Reliance CG (legacy) – XSS
- CVE-2025-47813: Wing FTP Server – Information Disclosure
- CVE-2024-51977: HL-L8260CDN – Information Disclosure
- CVE-2025-53770: Microsoft SharePoint Server – RCE
- CVE-2025-27505: GeoServer – Authentication Bypass
- CVE-2025-34040: OA – Path Traversal
- CVE-2025-5777: Citrix Netscaler – Memory Disclosure Protect