Vulnerability Report: March 2025

Welcome to this month’s Vulnerability Report.

In this report, we analyse the latest security vulnerabilities discovered in March that are actively exploited by cybercriminals. Many businesses assume that cutting-edge attack techniques pose the biggest threat, but the reality is far more straightforward, most cyber incidents happen because known vulnerabilities are left unpatched.

When businesses fail to address these security gaps, attackers take advantage of them, gaining unauthorised access, deploying ransomware, or stealing sensitive data. In many cases, this stolen data ends up on the dark web, where it is sold or weaponised for further attacks.

This report isn’t just about listing CVEs, it’s about helping you take actionable steps to protect your business. Our goal is to provide you with practical security insights, so you can mitigate these risks before they are exploited.

What is a CVE, and why does it matter?

A CVE (Common Vulnerabilities and Exposures) is a standard identifier for publicly known cybersecurity vulnerabilities. CVEs are catalogued to help organisations track and prioritise security flaws that could be exploited.

However, just because a vulnerability is known doesn’t mean it isn’t dangerous, some of the biggest cyber incidents have been caused by CVEs that were left unpatched for months, even years. Attackers don’t need sophisticated zero-day exploits when they can simply take advantage of unpatched systems.

The vulnerabilities listed below are not just hypothetical risks; they are actively being exploited right now. Ensuring your systems are patched and monitored is the best way to stay ahead of these threats.

Actively Exploited

Here is the summarised list of actively exploited CVE vulnerabilities for March 2025 in descending order of severity:

1. CVE-2025-24813 – Apache Tomcat – Severity: 9.8 (Critical)
   A path equivalence issue in Apache Tomcat (versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98) could allow remote code execution, information disclosure, or unauthorised file manipulation via the default servlet. Exploitation depends on configuration settings such as write/PUT access, file-based session persistence, and use of deserialisation-prone libraries. Upgrade to 11.0.3, 10.1.35 or 9.0.99.

2. CVE-2025-1316 – Edimax IC-7100 – Severity: 9.8 (Critical)
   The Edimax IC-7100 device fails to properly neutralise user input, allowing specially crafted requests that lead to remote code execution.

3. CVE-2025-22224 – VMware ESXi & Workstation – Severity: 9.3 (Critical)
   A TOCTOU (Time-of-Check Time-of-Use) vulnerability in VMware products allows a malicious user with local admin privileges to execute arbitrary code as the VMX process on the host via an out-of-bounds write.

4. CVE-2025-24201 – Apple visionOS, iOS, iPadOS, macOS, Safari – Severity: 8.8 (High)
   An out-of-bounds write vulnerability fixed in multiple Apple OS releases could allow malicious web content to break out of the Web Content sandbox. This issue was reportedly exploited in highly targeted attacks prior to iOS 17.2.

5. CVE-2024-48248 – NAKIVO Backup & Replication – Severity: 8.6 (High)
   Versions before 11.0.0.88174 are vulnerable to absolute path traversal, enabling file reading via /c/router. This may lead to remote code execution due to access to plaintext credentials through PhysicalDiscovery.

6. CVE-2025-30066 – tj-actions changed-files (GitHub Action) – Severity: 8.6 (High)
   A malicious commit affected tags v1 to v45.0.7, enabling attackers to expose secrets through actions logs. Affected between 2025-03-14 and 2025-03-15.

7. CVE-2025-30154 – reviewdog GitHub Actions – Severity: 8.6 (High)
   The reviewdog/action-setup@v1 GitHub Action was compromised on 2025-03-11, leaking secrets to logs. Several other reviewdog actions were also impacted.

8. CVE-2025-2783 – Google Chrome (Windows) – Severity: 8.3 (High)
   A sandbox escape via a malicious file in Mojo in Chrome prior to 134.0.6998.177 allowed remote attackers to break out of the browser sandbox.

9. CVE-2025-22225 – VMware ESXi – Severity: 8.2 (High)
   An arbitrary kernel write vulnerability allows a malicious actor within the VMX process to escape the sandbox environment.

10. CVE-2025-24993 – Windows NTFS – Severity: 7.8 (High)
    A heap-based buffer overflow vulnerability could enable local unauthorised attackers to execute code.

11. CVE-2025-24985 – Windows Fast FAT Driver – Severity: 7.8 (High)
    An integer overflow or wraparound in Fast FAT Driver enables unauthorised local code execution.

12. CVE-2025-22226 – VMware ESXi, Workstation, Fusion – Severity: 7.1 (High)
    An out-of-bounds read in HGFS allows a malicious admin to leak memory from the VMX process, leading to information disclosure.

13. CVE-2025-26633 – Microsoft Management Console – Severity: 7.0 (High)
    Improper input neutralisation enables unauthorised attackers to bypass local security features.

14. CVE-2025-24983 – Windows Win32 Kernel Subsystem – Severity: 7.0 (High)
    A use-after-free vulnerability allows a local authorised attacker to escalate privileges.

15. CVE-2025-21590 – Juniper Junos OS – Severity: 6.7 (Medium)
    An improper isolation issue in the kernel allows local shell users with high privileges to inject arbitrary code, compromising device integrity.

16. CVE-2025-24991 – Windows NTFS – Severity: 5.5 (Medium)
    An out-of-bounds read could allow an authorised attacker to disclose information locally.

17. CVE-2025-24984 – Windows NTFS – Severity: 4.6 (Low)
    Sensitive information may be inserted into log files, potentially disclosable via a physical attack.

Recommendations

If your organisation is running any of the affected software versions listed above, immediate action is critical. Follow these steps to secure your systems:

• Apply Security Patches: Ensure you install the latest updates and security patches released by vendors. These patches close known vulnerabilities that attackers actively exploit.
• Verify Patch Deployment: Simply downloading updates isn’t enough, verify that patches have been successfully applied across all systems.
• Monitor for Exploitation Attempts: Keep an eye on network logs, intrusion detection systems, and threat intelligence feeds for signs of exploitation related to these vulnerabilities.
• Isolate Vulnerable Systems: If a patch is not immediately available, consider network segmentation or restricting access to mitigate risk until an update can be applied.
• Check for Dark Web Exposure: If a vulnerability has already been exploited, your data may be circulating on the dark web. Proactively monitor for leaked credentials, sensitive files, or discussions about your company in cybercriminal forums.

Taking swift action can mean the difference between a minor security event and a full-scale breach. If you need real-time insights on whether your organisation's data has surfaced on the dark web, consider leveraging Oko’s AI-driven dark web monitoring to stay ahead of emerging threats.

Proactive Security: Don’t Wait Until It’s Too Late

Cybercriminals are constantly scanning the internet for businesses running outdated software. If they find an unpatched system, they will exploit it, it’s only a matter of time.

That’s why continuous monitoring is critical. A proactive approach to security means staying informed, patching vulnerabilities, and tracking whether your organisation’s data has been leaked or discussed on the dark web.

Oko’s AI-driven dark web monitoring helps businesses detect early warning signs before a vulnerability turns into a breach. If stolen credentials, sensitive documents, or company data surface on the dark web, Oko alerts you before cybercriminals can exploit it further.