Vulnerability Report: February 2025

Welcome to this month’s Vulnerability Report.

In this report, we analyse the latest security vulnerabilities discovered in February that are actively exploited by cybercriminals. Many businesses assume that cutting-edge attack techniques pose the biggest threat, but the reality is far more straightforward, most cyber incidents happen because known vulnerabilities are left unpatched.

When businesses fail to address these security gaps, attackers take advantage of them, gaining unauthorised access, deploying ransomware, or stealing sensitive data. In many cases, this stolen data ends up on the dark web, where it is sold or weaponised for further attacks.

This report isn’t just about listing CVEs, it’s about helping you take actionable steps to protect your business. Our goal is to provide you with practical security insights, so you can mitigate these risks before they are exploited.

What is a CVE, and why does it matter?

A CVE (Common Vulnerabilities and Exposures) is a standard identifier for publicly known cybersecurity vulnerabilities. CVEs are catalogued to help organisations track and prioritise security flaws that could be exploited.

However, just because a vulnerability is known doesn’t mean it isn’t dangerous, some of the biggest cyber incidents have been caused by CVEs that were left unpatched for months, even years. Attackers don’t need sophisticated zero-day exploits when they can simply take advantage of unpatched systems.

The vulnerabilities listed below are not just hypothetical risks; they are actively being exploited right now. Ensuring your systems are patched and monitored is the best way to stay ahead of these threats.

Actively Exploited

1. CVE-2025-24989 – Power Pages – Severity: 9.8 (Critical)
   An improper access control vulnerability in Power Pages allows an unauthorised attacker to elevate privileges over a network, potentially bypassing user registration controls. The issue has been mitigated, and affected customers have been notified.

2. CVE-2025-0108 – Palo Alto Networks PAN-OS – Severity: 9.1 (Critical)
   An authentication bypass vulnerability in PAN-OS allows an unauthenticated attacker with network access to the management web interface to bypass authentication and invoke certain PHP scripts. While this does not enable remote code execution, it impacts integrity and confidentiality.

3. CVE-2024-40891 – Zyxel VMG4325-B10A – Severity: 8.8 (High)
   A post-authentication command injection vulnerability in the legacy DSL CPE Zyxel VMG4325-B10A firmware (version 1.00(AAFR.4)C0_20170615) allows an authenticated attacker to execute OS commands via Telnet.

4. CVE-2024-40890 – Zyxel VMG4325-B10A – Severity: 8.8 (High)
   A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware (version 1.00(AAFR.4)C0_20170615) allows an authenticated attacker to execute OS commands via a crafted HTTP POST request.

5. CVE-2025-0994 – Trimble Cityworks – Severity: 8.8 (High)
   Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10 contain a deserialisation vulnerability that could allow an authenticated user to perform remote code execution on a Microsoft IIS web server.

6. CVE-2025-21418 – Windows Ancillary Function Driver for WinSock – Severity: 7.8 (High)
   An elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock.

7. CVE-2025-0111 – Palo Alto Networks PAN-OS – Severity: 7.1 (High)
   An authenticated file read vulnerability in PAN-OS allows an authenticated attacker with network access to the management web interface to read files on the filesystem that are accessible to the “nobody” user.

8. CVE-2025-21391 – Windows Storage – Severity: 7.1 (High)
   An elevation of privilege vulnerability in Windows Storage.

9. CVE-2025-24200 – Apple iOS & iPadOS – Severity: 6.1 (Medium)
   An authorisation issue in iOS and iPadOS was addressed with improved state management. A physical attack could disable USB Restricted Mode on a locked device. Apple is aware of reports that this has been exploited in a highly sophisticated attack against specific targeted individuals.

Recommendations

If your organisation is running any of the affected software versions listed above, immediate action is critical. Follow these steps to secure your systems:

• Apply Security Patches: Ensure you install the latest updates and security patches released by vendors. These patches close known vulnerabilities that attackers actively exploit.
• Verify Patch Deployment: Simply downloading updates isn’t enough, verify that patches have been successfully applied across all systems.
• Monitor for Exploitation Attempts: Keep an eye on network logs, intrusion detection systems, and threat intelligence feeds for signs of exploitation related to these vulnerabilities.
• Isolate Vulnerable Systems: If a patch is not immediately available, consider network segmentation or restricting access to mitigate risk until an update can be applied.
• Check for Dark Web Exposure: If a vulnerability has already been exploited, your data may be circulating on the dark web. Proactively monitor for leaked credentials, sensitive files, or discussions about your company in cybercriminal forums.

Taking swift action can mean the difference between a minor security event and a full-scale breach. If you need real-time insights on whether your organisation's data has surfaced on the dark web, consider leveraging Oko’s AI-driven dark web monitoring to stay ahead of emerging threats.

Proactive Security: Don’t Wait Until It’s Too Late

Cybercriminals are constantly scanning the internet for businesses running outdated software. If they find an unpatched system, they will exploit it, it’s only a matter of time.

That’s why continuous monitoring is critical. A proactive approach to security means staying informed, patching vulnerabilities, and tracking whether your organisation’s data has been leaked or discussed on the dark web.

Oko’s AI-driven dark web monitoring helps businesses detect early warning signs before a vulnerability turns into a breach. If stolen credentials, sensitive documents, or company data surface on the dark web, Oko alerts you before cybercriminals can exploit it further.