Underground Market Exploits and Active Threats: Key Takeaways from the Weekly Vulnerability Insights Report

Overview

The weekly vulnerability insights report to clients sheds light on the most pressing cybersecurity vulnerabilities that have been identified and exploited. This weekly vulnerability insights report highlights the continuous efforts of organizations to protect their systems and networks from cyber threats, focusing on critical vulnerabilities that demand immediate attention from security professionals. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerability (KEV) catalog to include multiple high-severity flaws that are actively being targeted by attackers.

During the week of March 12, 2025, CISA added several vulnerabilities to its KEV catalog, reflecting growing concerns about overactive exploitation. Among these, CVE-2025-30066 stood out as a severe threat, involving an authentication bypass vulnerability in the tj-actions/changed-files GitHub Action. This flaw allows attackers to execute arbitrary code on affected systems by exploiting improper validation in the GitHub Action. The high-severity flaw has been flagged for urgent attention, though, as of the report’s publication, no proof-of-concept (PoC) or exploit has been observed in the wild.

Alongside CVE-2025-30066, CVE-2025-24472 in Fortinet’s FortiOS and FortiProxy products also made their way into the catalog. This authentication bypass vulnerability is particularly alarming as it permits attackers to gain super-admin privileges remotely, bypassing standard authentication mechanisms. With a CVSSv3 score of 8.1, it poses security risks to affected networks. Additionally, CVE-2025-21590 in Juniper’s Junos OS was listed, a vulnerability related to improper isolation that can lead to unintended access and data exposure.

Notable Vulnerabilities Identified in the Weekly Vulnerability Insights Report

CRIL’s analysis delved deeper into several key vulnerabilities during the week, shedding light on their exploitation potential. Among the vulnerabilities investigated, CVE-2024-54085, an authentication bypass in AMI’s MegaRAC BMC, was identified as critical. This vulnerability allows remote attackers to gain full control over affected servers without authentication, paving the way for potential malware deployment or even hardware damage. The risk is compounded by the lack of public internet exposure, making it difficult to defend against potential attacks that might go undetected for longer periods.

Another critical vulnerability analyzed by Cyble was CVE-2025-24813 in Apache Tomcat. This remote code execution (RCE) flaw allows attackers to exploit improper file path handling during partial PUT requests, granting unauthorized access to the affected system. The flaw was observed to be actively discussed in underground forums, with PoC code circulating widely. As a widely used Java servlet container, Apache Tomcat’s exposure to this flaw presents a considerable risk to enterprises and their web applications.

In addition, vulnerabilities such as CVE-2025-25292 and CVE-2025-25291 in ruby-saml and CVE-2025-27363 in the FreeType library further highlight the widespread and diverse nature of vulnerabilities, ranging from authentication bypasses to out-of-bounds write issues.

Threats on Underground Forums and Markets

CRIL also reported disturbing activity in underground forums and dark web marketplaces, where threat actors discussed and offered exploits for various vulnerabilities. Notable discussions included CVE-2025-26319 and CVE-2025-26633, which involved critical arbitrary file upload vulnerabilities and improper input validation flaws, respectively. Both were being actively weaponized by attackers to infiltrate systems and gain unauthorized access.

Additionally, exploits for vulnerabilities such as CVE-2025-26776 in the Chaty Pro plugin for WordPress and CVE-2025-1128 in Everest Forms plugin for WordPress were being advertised. These critical flaws could allow attackers to execute arbitrary actions on compromised servers, further emphasizing the growing trend of weaponizing vulnerabilities through readily available exploits in underground communities.

Further unsettling was the report of a zero-day exploit in TP-Link Routers being sold for USD 1,000 on dark web forums. The exploit, which enables remote code execution (RCE), allows attackers to disable firewalls, steal credentials, and open encrypted backdoors on affected routers. Such active sales of exploits underscore the increasing commodification of zero-day vulnerabilities, making it easier for malicious actors to launch sophisticated attacks.

Vulnerabilities Under Scrutiny

Several vulnerabilities continued to attract attention during the week, with PoCs or exploits observed on various forums. These include:

• CVE-2025-26319 (FlowiseAI): A critical vulnerability in FlowiseAI v2.2.6, related to arbitrary file uploads.
• CVE-2025-24813 (Apache Tomcat): A flaw that allows remote code execution, actively discussed and exploited.
• CVE-2025-26633 (Microsoft Management Console): A high-severity issue impacting Microsoft systems.

Recommendations for Mitigating Exploitation Risks

To defend against the increasing threats posed by these vulnerabilities, organizations must adopt robust security practices. Here are several critical recommendations:

1. Ensure that all systems are updated with the latest security patches from vendors. Critical patches, especially those for vulnerabilities like CVE-2025-24472 and CVE-2025-24813, should be prioritized to mitigate active exploitation risks.
2. Establish a comprehensive patch management strategy that includes regular assessments, testing, deployment, and verification of updates. Automation tools can assist in streamlining the patch application process, ensuring consistency and timely implementation.
3. Proper segmentation of networks can prevent attackers from moving laterally within the environment, reducing exposure to critical assets.
4. Develop and continuously update incident response plans to ensure preparedness in the event of an attack. These plans should include procedures for identifying, containing, and mitigating active threats.
5. Conduct VAPT exercises regularly to identify vulnerabilities before attackers can exploit them. Periodically, conduct audits to maintain compliance with internal and external security standards.
6. Invest in comprehensive monitoring tools and systems, such as SIEM platforms, to detect abnormal behaviors and potential exploitation attempts.
7. Educate employees and stakeholders about the latest cybersecurity threats, including recognizing phishing attempts and malicious links that may exploit vulnerabilities such as CVE-2025-30066.

Conclusion

The vulnerabilities identified from March 12 to March 18, 2025, highlight the ongoing battle against cyber threats. Active exploitation of vulnerabilities like CVE-2025-24472 in FortiOS and CVE-2025-24813 in Apache Tomcat reinforces the importance of timely patching and vigilance. With threat actors increasingly relying on underground forums and exploiting markets to spread Proof of Concepts and zero-day exploits, it is important for organizations to remain proactive and continually update their security measures to mitigate these cyber threats.

Adopting better security practices is crucial for protecting sensitive data and ensuring the integrity of your systems. A comprehensive threat intelligence solution like Cyble can track potential threats, vulnerabilities, and leaks specific to your environment, enabling you to take swift action before they escalate into major incidents.

For full access to IT vulnerability reports and other insights from Cyble, click here.

References:

• https://nvd.nist.gov/vuln/detail/cve-2025-30066
• https://nvd.nist.gov/vuln/detail/CVE-2025-24472
• https://nvd.nist.gov/vuln/detail/CVE-2025-21590
• https://nvd.nist.gov/vuln/detail/CVE-2025-26319
• https://nvd.nist.gov/vuln/detail/CVE-2025-24813
• https://nvd.nist.gov/vuln/detail/CVE-2025-26633