Learn how to maximize protection and reduce security & operational costs.

Download guide

Join us for CrowdSec Community Office Hours: June Session!

Register now

CrowdSec

VulnTracking Reports
crowdsec vulntracking report april 2025

CrowdSec VulnTracking Report: April 2025

Welcome to the CrowdSec VulnTracking Report. In these monthly reports, we are exploring key insights on emerging vulnerabilities and CVE exploitation trends, as spotted by the CrowdSec Network.

In March 2025, we added detection for 55 vulnerabilities and/or exploits to our database, translating them into scenarios for the CrowdSec Security Engine, AppSec rules for the CrowdSec WAF, and updated entries in our CTI

Industrialisation efforts — and LLMs, let’s not lie — allow us to significantly increase the pace at which we can track new vulnerabilities (+61% month over month).

The yearly Verizon DBIR and VulnCheck Quarterly reports are out, and cross-reading highlights consistent patterns.

Expectation vs. reality

Verizon points out that vulnerability exploitation and credential abuse (including brute force) have increased, while SE has decreased slightly. At the same time, VulnCheck shows that nearly a third of vulnerabilities are reported as being exploited in the wild within one day of their disclosure.

This sub-24-hour metric isn’t overstated; the latest SAP NetWeaver (CVE-2025-31324) vulnerability shows it:

  • CVE published on Thursday, 24th
  • By Friday morning, without a public PoC, we had already identified several IPs exploiting it in the wild.
  • By Monday morning, still without a reliable public PoC, we identified more than 40 IPs exploiting it at scale.

On the other hand, DBIR points out a median delay of 32 to 38 days for complete remediation of disclosed vulnerabilities. 

This shrinkage of the time needed to weaponize vulnerabilities can be attributed to many factors. Still, the increasingly realistic ability of LLMs and newer models to produce reliable exploitation code is not to be underestimated, as highlighted in the recent CrowdSec Multimodal Offensive AI ebook.

To state the obvious, it means that attackers have plenty of time to exploit publicly disclosed vulnerabilities before organisations can patch them. The most worrying part is that the increased targeting of edge devices, namely VPNs and firewalls,  makes the exercise even harder, as they are harder to virtual patch and are often not as well integrated into the security ecosystem — for example, EDRs, forensic collection, and post-exploitation detection.

Can we expect organisations to patch within 24h? 

Certainly not for the majority of cases. 

Are we facing a no-win scenario? 

Not necessarily.

Over the last three months, out of the hundred CVEs CrowdSec started tracking, 67% of IPs exploiting those new vulnerabilities were already well known from the CrowdSec CTI. Yes, most attackers will maintain infrastructure over time, which can be used to our advantage. Also, nearly 30% of IPs were already part of the CrowdSec Blocklists before they even started exploiting those new vulnerabilities.

Vulnerability signatures added to the CrowdSec database in April 2025

  1. CVE-2021-43798: Grafana – Path Traversal
  2. CVE-2002-1131: SquirrelMail – Cross-site scripting
  3. CVE-2007-0885: Rainbow Zen – Cross-site scripting
  4. CVE-2021-26294: AfterLogic Aurora – Directory Traversal
  5. CVE-2021-26084: Confluence data center – SQLi
  6. CVE-2022-27925: Zimbra Collaboration – RCE
  7. CVE-2025-31324: SAP NetWeaver – RCE
  8. CVE-2023-46805: Ips – Authentication Bypass
  9. CVE-2017-1000170: jqueryFileTree – Directory Traversal
  10. CVE-2024-21887: Ivanti CPS – RCE
  11. CVE-2022-1388: BIG-IP – Authentication Bypass
  12. CVE-2021-44529: Ivanti EPM – RCE
  13. CVE-2024-57727: SimpleHelp – Path Traversal
  14. CVE-2025-24893: XWiki – RCE
  15. CVE-2018-16836: Rubedo – Directory Traversal
  16. CVE-2023-0297: Pyload/pyload – RCE
  17. CVE-2024-27292: Docassemble – Path Traversal
  18. CVE-2024-20439: Cisco smart license utility – Authentication Bypass
  19. CVE-2021-40539: Zoho ManageEngine ADSelfService Plus – Authentication Bypass
  20. CVE-2024-20440: Cisco smart license utility – Information Disclosure
  21. CVE-2023-36844: Junos OS – RCE
  22. CVE-2024-1709: Screenconnect – Authentication Bypass
  23. CVE-2022-26833: Oas platform – Authentication Bypass
  24. CVE-2020-9054: Zyxel NAS – RCE
  25. CVE-2021-21234: Spring-boot-actuator-logview – Path Traversal
  26. CVE-2023-6875: WordPress POST SMTP Mailer – Authorization Bypass
  27. CVE-2022-31656: Vmware Workspace ONE – Authentication Bypass
  28. CVE-2024-27564: dirk1983/chatgpt – RCE
  29. CVE-2025-2748: Kentico Xperience – RCE
  30. CVE-2015-4455: Aviary Image Editor – RCE
  31. CVE-2018-17431: Comodo UTM Firewall – RCE
  32. CVE-2023-48084: Nagios XI – SQLi
  33. CVE-2024-52763: Ganglia Web – XSS
  34. CVE-2023-36845: Junos OS – RCE
  35. CVE-2023-47105: ChaosBlade – RCE
  36. CVE-2019-16996: Metinfo – SQLi
  37. CVE-2021-31589: BeyondTrust – XSS
  38. CVE-2022-1221: Gwyn’s imagemap selector – XSS
  39. CVE-2018-12998: Zoho Manage Engine – XSS
  40. CVE-2021-24498: Calendar event multi view – XSS
  41. CVE-2023-34993: Fortiwlm – SQLi
  42. CVE-2023-3519: NetScaler Gateway – RCE
  43. CVE-2025-29306: FoxCMS – RCE
  44. CVE-2025-31161: CrushFTP – Authentication Bypass
  45. CVE-2024-25600: Bricks builder – RCE
  46. CVE-2025-34028: Commvault Command Center Innovation Release – Path Traversal
  47. CVE-2025-28367: mojoPortal BetterImageGallery – Path Traversal
  48. CVE-2024-32870: Itop – SQLi
  49. CVE-2024-21762: FortiOS – RCE
  50. CVE-2025-24016: Wazuh – RCE
  51. CVE-2024-23113: FortiProxy – RCE
  52. CVE-2024-28995: Solarwinds Serv-U – Path Traversal
  53. CVE-2016-10924: Ebook Download Plugin – Path Traversal
  54. CVE-2022-23347: BigAnt Software BigAnt Server – Path Traversal
  55. YonYou SQLi: UFIDA U8 CRM cfillbacksetting.php – SQL Injection

WRITTEN BY