Learn how to maximize protection and reduce security & operational costs.

Download guide

Share your feedback on the CrowdSec WAF & MISP for a chance to win special CrowdSec swag! 

Share now

CrowdSec

VulnTracking Reports
vulntracking june 2025

CrowdSec VulnTracking Report: June 2025

Welcome to the CrowdSec VulnTracking Report. In these monthly reports, we explore key insights on emerging vulnerabilities and CVE exploitation trends, as spotted by the CrowdSec Network.

In June 2025, we added detection for 46 vulnerabilities and/or exploits to our database, translating them into scenarios for the CrowdSec Security Engine, AppSec rules for the CrowdSec WAF, and updated entries in our CTI

The Speed of Exploitation: Old vs. New Vulnerabilities

Much light has recently been shed on “how fast can the bad guys weaponize vulnerabilities” and “how fast can the good guys patch said vulnerabilities”. However, as we highlighted in our recent analysis, many legitimate “attack surface management” (or continuous vulnerability scanning for those who missed the hype train) rely on the availability of publicly available exploits, and so do (most of) the bad guys. 

However, examining on a large scale (around 20 million daily attacks reported from more than a hundred thousand distinct setups in over 150 countries), we observe that much of the exploitation focuses on older and lower-profile vulnerabilities. Vulnerabilities can regain relevance when a specific actor exploits them or when they receive significant attention (e.g., public exploit release, CVE attribution, etc.).

The Atlantic Council recently released a report called “Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace”. While the article frames the discussion largely through a competitive U.S.-China lens and is worth reading, it highlights several compelling points. Most relevant to our current discussion is China’s proficiency in maintaining functional exploits for older vulnerabilities (n-days) over extended periods.

This directly echoes some of the topics we covered in our recent posts. We regularly see active exploitation campaigns focused on older or less-marketed vulnerabilities. Those vulnerabilities sometimes do not get the deserved attention in monitoring or detection, while being very practical and much more common. 

On the other hand, let’s not fool ourselves: high-profile vulnerabilities, typically targeting enterprise software, repeatedly get exploited in the wild within less than 24 hours. This month was no exception, with vulnerabilities targeting enterprise CMS SiteCore (CVE-2025-34509, CVE-2025-34510, and CVE-2025-34511) exploited within 12 hours of the report by WatchtTowr.

Vulnerability signatures added to the CrowdSec database in June 2025

  1. CVE-2023-29298: ColdFusion – Authentication Bypass
  2. CVE-2020-2096: Jenkins Gitlab Hook Plugin – XSS
  3. CVE-2024-0692: SolarWinds Security Event Manager – RCE
  4. CVE-2025-27007: SureTriggers – Privilege Escalation
  5. CVE-2022-1391: Cab fare calculator – Path Traversal
  6. CVE-2017-12149: JbossAS – RCE
  7. CVE-2024-7399: MagicINFO 9 Server – Path Traversal
  8. CVE-2025-5086: DELMIA Apriso – RCE
  9. CVE-2020-28188: TerraMaster TOS – RCE
  10. CVE-2023-39780: RT-AX55 – RCE
  11. CVE-2025-4009: 3080ipx-10G – RCE
  12. CVE-2025-20188: Cisco IOS XE Software – Hardcoded Credentials
  13. CVE-2019-9632: ESAFENET – Arbitrary File Download
  14. CVE-2024-48914: Vendure – Path Traversal
  15. CVE-2025-2775: SysAid On-Prem – XXE
  16. CVE-2021-40856: Auerswald COMfortel – Path Traversal
  17. CVE-2023-3836: Smart Park Management – RCE
  18. CVE-2023-22893: Strapi – Authentication Bypass
  19. CVE-2024-10443: BeePhotos – RCE
  20. CVE-2025-34509: Sitecore – Authentication Bypass
  21. CVE-2025-2636: InstaWP Connect – Path Traversal
  22. CVE-2009-1558: Cisco Linksys – Path Traversal
  23. CVE-2023-5074: D-View 8 – Authentication Bypass
  24. CVE-2023-38950: ZKBio Time – Path Traversal
  25. CVE-2025-34510: Sitecore – Path Traversal
  26. CVE-2023-34990: FortiWLM – Path Traversal
  27. CVE-2025-49113: RoundCube Webmail – RCE
  28. (Generic) PHP Info Detection
  29. (Generic) HTTP SAP Interface Probing
  30. (Generic) Protect WordPress uploads directory from listing files
  31. CVE-2021-22005: VMware vCenter Server – Arbitrary File Upload
  32. CVE-2025-34511: Sitecore – Arbitrary File Upload
  33. CVE-2019-19781: Citrix ADC – Path Traversal
  34. CVE-2018-16670: CIRCONTROL CirCarLife – Information Disclosure
  35. CVE-2025-0107: Cloud NGFW – RCE
  36. CVE-2023-35885: CloudPanel – RCE
  37. CVE-2024-12987: Vigor2960 – RCE
  38. CVE-2025-2776: SysAid On-Prem – XXE
  39. CVE-2023-2059: DedeCMS – Path Traversal
  40. CVE-2025-30406: CentreStack – RCE
  41. CVE-2022-39952: FortiNAC – RCE
  42. CVE-2023-22463: KubePi – Authentication Bypass
  43. CVE-2025-26793: Enterphone MESH – Hardcoded Credentials
  44. CVE-2024-29855: Recovery Orchestrator – Authentication Bypass
  45. CVE-2021-24227: Patreon WordPress – Path Traversal
  46. CVE-2025-4322: Motors Theme – Authentication Bypass

WRITTEN BY