Learn how to maximize protection and reduce security & operational costs.

Download guide

Join us for CrowdSec Community Office Hours: June Session!

Register now

CrowdSec

VulnTracking Reports
crowdsec vulntracking report april 2025

CrowdSec VulnTracking Report: May 2025

Welcome to the CrowdSec VulnTracking Report. In these monthly reports, we explore key insights on emerging vulnerabilities and CVE exploitation trends, as spotted by the CrowdSec Network.

In May 2025, we added detection for 47 vulnerabilities and/or exploits to our database, translating them into scenarios for the CrowdSec Security Engine, AppSec rules for the CrowdSec WAF, and updated entries in our CTI

Last month, we discussed how quickly vulnerabilities were weaponized by the bad guys, as highlighted by the Verizon DBIR and VulnCheck Quarterly Report. To discuss the specifics of the timeframe, we took the SAP NetWeaver (CVE-2025-31324) vulnerability as an example.

This vulnerability is a great example, as it has been getting a lot of attention from both the bad guys and the general industry:

A handful of advanced attackers reportedly used the vulnerability before disclosure, as reported by Onapsis (shoutout to them). Still, the real large-scale exploitation started as soon as enough details emerged for people to develop working exploits. On the day following the CVE publication, we already identified a handful of IPs exploiting it, which turned into 40 over the weekend. Currently, more than 1,400 IPs are exploiting this vulnerability.

However, what is interesting is seeing the race between the bad guys and the good guys. So, let’s break down the timeline, shall we?

The First 3 Days

During the first three days, there were no public exploits (yet); the IPs scanning for the vulnerability belonged to actors who could do their research and develop exploits. The breakdown of IPs goes as follows:

  • 37% of IPs have been deployed just for the occasion. They had a clean background, ran intense activity over less than five days, went away, and never came back.
  • 63% of IPs belonged to known attackers’ infrastructures.
benign, known, malicious, safe, suspicious IPs

The Following 28 Days

After a few days, exploits started circulating, and everybody jumped on the vulnerability, both good and bad, and it suddenly looked like this:

On day 4, both the “usual suspects” (botnets) and the “industry” (internet-wide scanning services and surface management providers) started intensive scanning. They soon represented more than 80% of activity (in equal parts). The fact that mainstream malicious actors and industry picked up the pace on the same day tells a lot: they rely on public exploits, PoCs, and write-ups to do their jobs.

And this is even more evident when we look at the “volume” of IPs rather than the distribution of IP reputation:

The availability of public exploits multiplied the amount of scanning activity by almost 50 overnight, and the first 3 days were suddenly so insignificant that they barely show up on the chart.

Vulnerability signatures added to the CrowdSec database in May 2025

  1. CVE-2022-31984: Online Fire Reporting System – SQLi
  2. CVE-2020-15415: DrayTek – RCE
  3. CVE-2025-26319: FlowiseAI – Arbitraty File Upload
  4. CVE-2023-38098: NETGEAR ProSAFE – Authentication Bypass
  5. CVE-2018-19410: PRTG Network Monitor – Authentication Bypass
  6. CVE-2023-5360: Royal elementor addons and templates – Arbitrary File Upload
  7. CVE-2014-2383: DomPDF – Path Traversal
  8. CVE-2021-38163: SAP NetWeaver – RCE
  9. CVE-2018-2392: SAP Internet Graphics Server – XXE
  10. CVE-2023-6977: Mlflow/mlflow – Path Traversal
  11. CVE-2023-6023: Vertaai/modeldb – Path Traversal
  12. CVE-2023-45878: GibbonEdu Gibbon – File Upload
  13. CVE-2025-30567: Wp01 – Path Traversal
  14. CVE-2020-6207: SAP Solution Manager – Authentication Bypass
  15. CVE-2023-40000: Litespeed cache – XSS
  16. CVE-2025-34026: Concerto – Authentication Bypass
  17. CVE-2025-32432: Craft CMS – RCE
  18. CVE-2023-26255: Jira – Path Traversal
  19. CVE-2025-32756: FortiCamera – RCE
  20. CVE-2025-4428: Endpoint manager mobile – RCE
  21. CVE-2024-5334: Stitionai/devika – Path Traversal
  22. CVE-2020-10189: Zoho ManageEngine – XXE
  23. CVE-2025-29085: vipshop Saturn – SQLi
  24. CVE-2020-6287: SAP Netweaver – Authentication Bypass
  25. CVE-2023-33629: H3C MagicR300 – RCE
  26. CVE-2025-4427: Endpoint manager mobile – Authentication Bypass
  27. CVE-2025-3248: Langflow – RCE
  28. CVE-2021-21389: Buddypress – Information Disclosure
  29. CVE-2018-17283: Zoho ManageEngine – SQLi
  30. CVE-2021-42063: Sap Knowledge Warehouse – XSS
  31. CVE-2019-7254: eMerge E3 – Path Traversal
  32. CVE-2023-46732: Xwiki-platform – XSS
  33. CVE-2020-7209: Linuxki – RCE
  34. CVE-2023-41599: JFinalCMS – Path Traversal
  35. CVE-2024-46938: Sitecore Experience – Arbitrary File Read
  36. CVE-2024-3721: Dvr-4216 – RCE
  37. CVE-2008-2398: AppServ – XSS
  38. CVE-2019-16469: Adobe Experience Manager – Information Disclosure
  39. CVE-2016-2389: SAP NetWeaver – Path Traversal
  40. CVE-2023-22527: Confluence Data Center – RCE
  41. CVE-2021-21479: Scimono – RCE
  42. CVE-2018-11222: Pandora FMS – RCE
  43. CVE-2021-33690: Sap netweaver – SSRF
  44. CVE-2025-2777: SysAid On-Prem – XXE
  45. CVE-2024-21136: Retail xstore office – Path Traversal
  46. CVE-2020-29390: Zeroshell – RCE
  47. Detect SAP Probing

WRITTEN BY