Vulnerability Report: April 2025

Welcome to this month’s Vulnerability Report.

In this report, we analyse the latest security vulnerabilities discovered in April that are actively exploited by cybercriminals. Many businesses assume that cutting-edge attack techniques pose the biggest threat, but the reality is far more straightforward, most cyber incidents happen because known vulnerabilities are left unpatched.

When businesses fail to address these security gaps, attackers take advantage of them, gaining unauthorised access, deploying ransomware, or stealing sensitive data. In many cases, this stolen data ends up on the dark web, where it is sold or weaponised for further attacks.

This report isn’t just about listing CVEs, it’s about helping you take actionable steps to protect your business. Our goal is to provide you with practical security insights, so you can mitigate these risks before they are exploited.

What is a CVE, and why does it matter?

A CVE (Common Vulnerabilities and Exposures) is a standard identifier for publicly known cybersecurity vulnerabilities. CVEs are catalogued to help organisations track and prioritise security flaws that could be exploited.

However, just because a vulnerability is known doesn’t mean it isn’t dangerous, some of the biggest cyber incidents have been caused by CVEs that were left unpatched for months, even years. Attackers don’t need sophisticated zero-day exploits when they can simply take advantage of unpatched systems.

The vulnerabilities listed below are not just hypothetical risks; they are actively being exploited right now. Ensuring your systems are patched and monitored is the best way to stay ahead of these threats.

Actively Exploited

1. CVE-2025-34028 – Commvault Command Center Innovation Release, Affected Version: 11.38 – Severity: 10.0 (Critical)  
   A path traversal vulnerability allows unauthenticated actors to upload ZIP files, leading to remote code execution.
2. CVE-2025-31324 – SAP NetWeaver Visual Composer Metadata Uploader – Severity: 10.0 (Critical)  
   Unauthenticated agents can upload malicious binaries, severely impacting system confidentiality, integrity, and availability.
3. CVE-2024-58136 – Yii 2, Affected Version: before 2.0.52 – Severity: 9.8 (Critical)  
   Mishandling of behaviour attachment enables remote code execution, exploited in the wild from February to April 2025.
4. CVE-2025-42599 – Active! mail 6, Affected Version: BuildInfo: 6.60.05008561 and earlier – Severity: 9.8 (Critical)  
   A stack-based buffer overflow allows unauthenticated attackers to execute arbitrary code or cause denial-of-service.
5. CVE-2025-30406 – Gladinet CentreStack, Affected Version: through 16.1.10296.56315 – Severity: 9.8 (Critical)  
   A deserialisation vulnerability enables remote code execution by threat actors exploiting a hardcoded machineKey.
6. CVE-2025-31161 – CrushFTP, Affected Version: 10 before 10.8.4 and 11 before 11.3.1 – Severity: 9.8 (Critical)  
   Authentication bypass via a race condition allows unauthenticated access to administrative accounts, leading to system compromise.
7. CVE-2025-22457 – Ivanti Connect Secure, Ivanti Policy Secure, Ivanti ZTA Gateways, Affected Version: before 22.7R2.6, before 22.7R1.4, before 22.8R2.2 respectively – Severity: 9.8 (Critical)  
   A stack-based buffer overflow allows unauthenticated attackers to achieve remote code execution.
8. CVE-2025-3928 – Commvault Web Server – Severity: 8.8 (High)  
   An unspecified vulnerability allows authenticated attackers to create and execute webshells, compromising servers.
9. CVE-2025-1976 – Brocade Fabric OS, Affected Version: 9.1.0 through 9.1.1d6 – Severity: 8.6 (High)  
   Local users with admin privileges can execute arbitrary code with root privileges.
10. CVE-2025-29824 – Windows Common Log File System Driver – Severity: 7.8 (High)  
     A use-after-free vulnerability allows authorised attackers to elevate privileges locally.
11. CVE-2025-31200 – Apple tvOS, visionOS, iOS, iPadOS, macOS Sequoia – Severity: 7.5 (High)  
     A memory corruption issue in audio stream processing may allow code execution via malicious media files.
12. CVE-2025-31201 – Apple tvOS, visionOS, iOS, iPadOS, macOS Sequoia – Severity: 6.8 (Medium)  
    Arbitrary read/write capabilities may bypass Pointer Authentication, potentially exploited in targeted attacks.

Recommendations

If your organisation is running any of the affected software versions listed above, immediate action is critical. Follow these steps to secure your systems:

• Apply Security Patches: Ensure you install the latest updates and security patches released by vendors. These patches close known vulnerabilities that attackers actively exploit.
• Verify Patch Deployment: Simply downloading updates isn’t enough, verify that patches have been successfully applied across all systems.
• Monitor for Exploitation Attempts: Keep an eye on network logs, intrusion detection systems, and threat intelligence feeds for signs of exploitation related to these vulnerabilities.
• Isolate Vulnerable Systems: If a patch is not immediately available, consider network segmentation or restricting access to mitigate risk until an update can be applied.
• Check for Dark Web Exposure: If a vulnerability has already been exploited, your data may be circulating on the dark web. Proactively monitor for leaked credentials, sensitive files, or discussions about your company in cybercriminal forums.

Taking swift action can mean the difference between a minor security event and a full-scale breach. If you need real-time insights on whether your organisation's data has surfaced on the dark web, consider leveraging Oko’s AI-driven dark web monitoring to stay ahead of emerging threats.

Proactive Security: Don’t Wait Until It’s Too Late

Cybercriminals are constantly scanning the internet for businesses running outdated software. If they find an unpatched system, they will exploit it, it’s only a matter of time.

That’s why continuous monitoring is critical. A proactive approach to security means staying informed, patching vulnerabilities, and tracking whether your organisation’s data has been leaked or discussed on the dark web.

Oko’s AI-driven dark web monitoring helps businesses detect early warning signs before a vulnerability turns into a breach. If stolen credentials, sensitive documents, or company data surface on the dark web, Oko alerts you before cybercriminals can exploit it further.