On May 13, 2025, Ivanti disclosed an exploited in the wild exploit chain, comprising of two new vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM): CVE-2025-4427 and CVE-2025-4428. Ivanti EPMM is an enterprise-focused software suite for IT teams to manage mobile devices, applications, and content.

CVE-2025-4427 is an authentication bypass vulnerability with a CVSS rating of 5.3 (Medium). CVE-2025-4428 is an authenticated remote code execution (RCE) vulnerability with a CVSS rating of 7.2 (High). By chaining the medium-severity authentication bypass (CVE-2025-4427), an unauthenticated attacker can reach a web API endpoint to inject server-side template patterns and exploit the high-severity vulnerability (CVE-2025-4428), thus achieving unauthenticated remote code execution. Therefore, while neither vulnerability has been rated as critical, when combined together, the impact of the exploit chain is critical, i.e. unauthenticate RCE.

The vulnerabilities were reported to the vendor by CERT-EU, the European Union’s Cybersecurity Service for the Union institutions, bodies, offices and agencies. The vendor has disclosed that this exploit chain has been exploited in the wild to a limited degree. Notably, this product was previously targeted by an unknown threat actor against the Norwegian Security and Service Organization (DSS) in 2023.

On May 15, 2025, a technical analysis and accompanying proof-of-concept exploit was published publicly. With public exploit code now available, the risk of broad exploitation in the wild has greatly increased.

On May 19, 2025, both CVE-2025-4427 and CVE-2025-4428 were added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV).

Mitigation guidance

The vendor has provided patches for affected versions of EPMM. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur.

The following list outlines the affected supported EPMM versions, and their respective fixes:

• Version 11.12.0.4 and prior is fixed in version 11.12.0.5
• Version 12.3.0.1 and prior is fixed in version 12.3.0.2
• Version 12.4.0.1 and prior is fixed in version 12.4.0.2
• Version 12.5.0.0 and prior is fixed in version 12.5.0.1

For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess exposure to CVE-2025-4427 and CVE-2025-4428 with authenticated checks available in the May 16 content release.

Updates

May 16, 2025: Updated description of checks to clarify they will be authenticated.

May 19, 2025: Clarified InsightVM and Nexpose checks were shipped in the May 16 content release.

May 20, 2025: Added reference to the CISA KEV list.

On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple Fortinet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera. The vulnerability is rated as CVSS 9.6 (Critical), and allows an unauthenticated remote attacker to achieve remote code execution (RCE) against a vulnerable target.

Fortinet has disclosed that this vulnerability has been exploited in the wild by a threat actor who is targeting vulnerable FortiVoice appliances. No threat actor attribution has been made at this time. FortiVoice is an enterprise unified communication (UC) platform, providing communications services such as calling, conferencing, and chat. The Fortinet Product Security Team made this discovery based on observed threat activity. This threat activity included additional network scanning, credential logging, and log file wiping. Several IOCs have been published in the vendor advisory to assist customers in threat hunting.

CVE-2025-32756 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV) on May 14, 2025.

Mitigation guidance

Fortinet have provided patches for affected versions under support, and guidance for unsupported versions to migrate to a fixed version. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an urgent basis, as outlined below.

• FortiVoice 7.2 should be upgraded to 7.2.1 or above
• FortiVoice 7.0 should be upgraded to 7.0.7 or above
• FortiVoice 6.4 should be upgraded to 6.4.11 or above
  
• FortiRecorder 7.2 should be upgraded to 7.2.4 or above
• FortiRecorder 7.0 should be upgraded to 7.0.6 or above
• FortiRecorder 6.4 should be upgraded to 6.4.6 or above
  
• FortiNDR 7.6 should be upgraded to 7.6.1 or above
• FortiNDR 7.4 should be upgraded to 7.4.8 or above
• FortiNDR 7.2 should be upgraded to 7.2.5 or above
• FortiNDR 7.1 should be migrated to a fixed release
• FortiNDR 7.0 should be upgraded to 7.0.7 or above
• FortiNDR 1.5 should be migrated to a fixed release
• FortiNDR 1.4 should be migrated to a fixed release
• FortiNDR 1.3 should be migrated to a fixed release
• FortiNDR 1.2 should be migrated to a fixed release
• FortiNDR 1.1 should be migrated to a fixed release
  
• FortiMail 7.6 should be upgraded to 7.6.3 or above
• FortiMail 7.4 should be upgraded to 7.4.5 or above
• FortiMail 7.2 should be upgraded to 7.2.8 or above
• FortiMail 7.0 should be upgraded to 7.0.9 or above
  
• FortiCamera 2.1 should be upgraded to 2.1.4 or above
• FortiCamera 2.0 should be migrated to a fixed release
• FortiCamera 1.1 should be migrated to a fixed release
  

For customers who may not be able to update to a fixed version, Fortinet has given guidance to disable the affected appliance's HTTP(S) administration interface. For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can now assess their exposure to CVE-2025-32756 on FortiVoice with an unauthenticated check available in the May 14, 2025 content release (Nexpose Content 1.1.3561)

Updates

May 14, 2025: Updated to reflect InsightVM check was shipped on May 14, 2025. Added reference to the CISA KEV listing.

On Thursday, April 24, enterprise resource planning company SAP published a CVE (and a day later, an advisory behind login) for CVE-2025-31324, a zero-day vulnerability in NetWeaver Visual Composer that carries a CVSSv3 score of 10. The vulnerability arises from a missing authorization check in Visual Composer’s Metadata Uploader component that, when successfully exploited, allows unauthenticated attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, resulting in unrestricted malicious file upload.

While the vulnerable component is not installed in NetWeaver’s default configuration, SAP security firm Onapsis notes that it is widely enabled.

Per SAP’s docs, Visual Composer “operates on top of the SAP NetWeaver Portal, utilizing the portal's connector-framework interfaces to enable access to a range of data services, including SAP and third-party enterprise systems. In addition to accessing SAP Business Suite systems, users can access SAP NetWeaver Business Warehouse and any open/JDBC stored procedures.”

Rapid7-observed exploitation

CVE-2025-31324 is being actively exploited in the wild; Rapid7 MDR has observed exploitation in multiple customer environments dating back to at least March 27, 2025, nearly all of which has targeted manufacturing companies. Adversaries have exploited the vulnerability to drop webshells in the following directory: j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/

Public threat intelligence on CVE-2025-31324 exploitation has highlighted the use of webshells named helper.jsp and cache.jsp. With few exceptions (like helper.jsp), most webshells Rapid7 has observed had random 8-character names, e.g.:
cglswdjp.jsp
ijoatvey.jsp
dkqgcoxe.jsp
ylgxcsem.jsp
cpyjljgo.jsp
tgmzqnty.jsp

Rapid7 has not attributed this activity to a specific threat actor at time of writing.

Mitigation guidance

All SAP NetWeaver 7.xx versions and service packs (SPS) are affected.

SAP’s non-public guidance indicates that customers can check system info (http://host:port/nwa/sysinfo) for the Software Component VISUAL COMPOSER FRAMEWORK (VCFRAMEWORK.SCA). If this check returns no results, SAP has said the vulnerability is “not relevant for that system.”

Customers should update to the latest version of NetWeaver AS on an emergency basis, without waiting for a regular patch cycle to occur. Note that updating to a fixed version of NetWeaver will not address pre-existing compromises. Customers who are unable to update to a fixed version of the application should disable Visual Composer by following SAP’s directions here.

Customers should also restrict access to the affected endpoint (/developmentserver/metadatauploader) and investigate their environments for signs of compromise. SAP’s non-public advisory notes that the “most common targets for an attacking agent” are the following paths under the JAVA server file system — jsp, java, or class files present directly in these paths should be considered malicious: C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync

For additional information and the latest guidance, please refer to SAP’s non-public materials or contact SAP support.

Rapid7 customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to exploitation of this vulnerability:

• Attacker Technique - Enumerating Domain Or Enterprise Admins With Net Command
• Suspicious Process - Nltest Enumeration Cluster
• PowerShell - Download File to Staging Directory

InsightVM and Nexpose customers can assess their exposure to CVE-2025-31324 with an unauthenticated check available in the April 28, 2025 content release.

On Thursday, April 3, 2025, Ivanti disclosed a critical severity vulnerability affecting Ivanti Connect Secure, Pulse Connect Secure, Policy Secure, and ZTA Gateways. CVE-2025-22457 is a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the target device. Ivanti’s advisory indicates that CVE-2025-22457 is known to be exploited in the wild; Google’s Mandiant division attributes this activity to suspected China-nexus actors.

Ivanti’s advisory indicates that the vulnerability was “initially identified as a product bug” and patched in Ivanti Connect Secure version 22.7R2.6 (released February 11, 2025). Per Mandiant, CVE-2025-22457 is “a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability.” However, on April 3, Ivanti publicly acknowledged known exploitation in the wild of supported Ivanti Connect Secure and End-of-Support Pulse Connect Secure appliances for remote code execution in some customer environments.

Update April 10, 2025: Rapid7's vulnerability research team now has a full root cause analysis of this vulnerability in AttackerKB; Rapid7 Principal Researcher Stephen Fewer was able to demonstrate full RCE, though notably the vulnerability is not trivial to exploit.

Mitigation guidance

The following products and versions are vulnerable to CVE-2025-22457:

• Ivanti Connect Secure 22.7R2.5 and prior
• Pulse Connect Secure (End-of-Support) 9.1R18.9 and prior
• Ivanti Policy Secure 22.7R1.3 and prior
• ZTA Gateways 22.8R2 and prior

Ivanti has a full table of affected versions and corresponding solution estimates in their advisory.

A patch is available (initially released on February 11, 2025) for CVE-2025-22457 in Ivanti Connect Secure. However, the advisory states that patches for Ivanti Policy Secure and ZTA Gateways will not be available until April 21, 2025 and April 19, 2025, respectively. Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024 and won’t be patched. For the latest information, please refer to the Ivanti advisory.

Customers should apply the available Ivanti Connect Secure patch immediately, without waiting for a typical patch cycle to occur. Ivanti’s advisory notes that “Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.” Notably, ICT results may vary; a factory reset should be performed if exploitation is suspected, regardless of ICT results.

For the latest information, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2025-22457 in Ivanti Connect Secure with a vulnerability check available in today’s (April 3, 2025) content release.

On March 24, 2025, Kubernetes disclosed 5 new vulnerabilities affecting the Ingress NGINX Controller for Kubernetes. Successful exploitation could allow attackers access to all secrets stored across all namespaces in the Kubernetes cluster, which could result in cluster takeover.

• CVE-2025-1974 (9.8 Critical): RCE escalation. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (In the default installation, the controller can access all Secrets cluster-wide.)
• CVE-2025-24514 (8.8 High): Configuration injection via unsanitized auth-url annotation. In ingress-nginx, the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.
• CVE-2025-1097 (8.8 High): Configuration injection via unsanitized auth-tls-match-cn annotation. The `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.
• CVE-2025-1098 (8.8 High): Configuration injection via unsanitized mirror annotations. The `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.
• CVE-2025-24513 (4.8 Medium): Auth secret file path traversal vulnerability. Attacker-provided data is included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

Of the 5 vulnerabilities disclosed, any one of the injection vulnerabilities (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098) may be chained with CVE-2025-1974 to achieve unauthenticated RCE on the Kubernetes pod that is running a vulnerable Ingress NGINX Controller. Achieving RCE could allow an attacker to take over a Kubernetes cluster. As of March 25, 2025, none of the above CVEs is known to be exploited in the wild.

Ingress is a Kubernetes feature to route HTTP(S) traffic into a Kubernetes cluster. An Ingress Controller is an application responsible for performing the routing. While there are many Ingress Controllers available, the vulnerabilities disclosed on March 24 are specific to the Ingress NGINX Controller, which is an Ingress Controller based upon NGINX.

The original finders of all five vulnerabilities, Wiz, noted that 43% of cloud environments are vulnerable to the issues disclosed, and that they have identified 6,500 clusters with publicly exposed Ingress NGINX Controllers.

As of March 25, 2025 (14:00 pm GMT), there is now one known publicly available RCE exploit for CVE-2025-1974 (here). This exploit is unverified, but based on our understanding of the vulnerability, it appears viable.

Mitigation guidance

All 5 vulnerabilities are reported to affect the following versions of Ingress NGINX Controller:

• Versions <= 1.11.4
• Version 1.12.0

Notably, the Wiz advisory says that CVE-2025-24514 does not affect version 1.12.0, but the vendor indicates that the issue does affect 1.12.0.

Customers who use the Ingress NGINX Controller for Kubernetes are advised to update to the following versions immediately:

• Version 1.11.5
• Version 1.12.1

Rapid7 customers

With the latest Kubernetes Cluster Scanner (available as of Wednesday, March 26), InsightCloudSec customers can discover Kubernetes workloads that have this vulnerability in their cluster. The discovery will be shown via the insights pack with a new insight called Publicly exposed vulnerable Ingress NGINX Admission. The insight will also include remediation steps.

InsightVM and Nexpose customers can assess their exposure to CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 on Unix-based systems with authenticated checks available in the March 26 content release.

Rapid7 is warning customers of two notable (unrelated) vulnerabilities in Next.js, a React framework for building web applications, and CrushFTP, a file transfer technology that has previously been targeted by adversaries.

• CVE-2025-29927 is a critical improper authorization vulnerability in Next.js middleware that could (theoretically) allow an attacker to bypass authorization checks in a Next.js application, if the authorization check occurs in middleware.
• CVE-2025-2825 is an unauthenticated HTTP(S) port access vulnerability in CrushFTP file transfer software (no CVE at time of publication). Rapid7 has a full technical analysis of this vulnerability here.

Neither of the above vulnerabilities is known to have been exploited in the wild as of Tuesday, March 25, 2025. CrushFTP has previously been exploited in the wild for adversary access to (and exfiltration of) sensitive data.

CrushFTP CVE-2025-2825

On Friday, March 21, 2025, file transfer software maker CrushFTP disclosed a new unauthenticated HTTP(S) port access vulnerability to customers via email:

Note: While the email image above indicates only CrushFTP v11 is affected by the unauthenticated port access vulnerability (assigned CVE-2025-2825 on March 26), the extremely sparse vendor advisory indicates that both CrushFTP v10 and v11 are affected. According to the vendor, the issue is not exploitable if customers have the DMZ function of CrushFTP in place.

Mitigation guidance: File transfer technologies are high-value targets for ransomware and other adversaries looking to quickly gain access to and exfiltrate sensitive data. Per the email sent to CrushFTP customers on Friday, March 21, the vulnerability is fixed in CrushFTP v11.3.1 (and later). Customers should update immediately, without waiting for a regular patch cycle to occur.

Rapid7 technical analysis key takeaways:

• CVE-2025-2825 is easy to exploit if the vulnerable web service is accessible. It requires two web requests, and many API endpoints can be targeted.
• Exploitation requires knowledge of at least one valid username. However, the default "crushadmin" administrator user can be used, in most instances.
• It's typically possible to establish privileged remote code execution once an attacker has access to an administrator CrushFTP account.
• There is little potential for strong signal IOCs in the default configuration, as the exploit does not write unexpected errors to log files.
• For the full analysis, see our research team's AttackerKB entry.

Next.js CVE-2025-29927

CVE-2025-29927 stems from logic associated with how middleware is handled by the application — specifically, an attacker can provide a header in any request to bypass application middleware. Application middleware can perform any number of tasks, and it can stack so that multiple layers of middleware can be configured, with each able to modify the request/response passed to it. Common use cases of middleware include authentication/authorization, CSP validation, URL rewriting/redirection etc.

As the vulnerability affects an application framework, and the application middleware configuration can vary greatly, so too does the potential impact of exploiting the vulnerability. Based on Rapid7’s analysis, there is no ‘one-size-fits-all’ determination of risk/impact for CVE-2025-29927 (which is a common scenario for framework and library vulns). The most severe potential impact likely comes in the form of authentication bypass, but would still be highly application-dependent — the impact of bypassing authentication for a hobbyist “To do list” application is very different from theoretically bypassing authentication in an enterprise application utilising Next.js.

Organizations should consider whether their applications are relying solely on the middleware for authentication. It may be that the application uses middleware, but is just acting as a front end to back-end APIs that are dealing with server-side authentication logic. Bypassing the front-end Next.js middleware would not affect the back end's ability to authenticate users.

As an example of how a more measured view can change the outlook, a Red Hat advisory for CVE-2025-29927 originally listed two products as affected: Red Hat Trusted Artifact Signer and Streams for Apache Kafka 2. Now these have been removed and classified as “Not affected,” presumably following further review. The advisory was updated with the following: “Red Hat Trusted Artifact Signer and Streams for Apache Kafka 2 are not affected by this vulnerability as they do not use Next.js for any authorization functionality.”

Mitigation guidance: Per the Next.js advisory, CVE-2025-29927 affects the following versions of Next.js:

• >= 13.0.0, < 13.5.9 (fixed in 13.5.9)
• >= 14.0.0, < 14.2.25 (fixed in 14.2.25)
• >= 15.0.0, < 15.2.3 (fixed in 15.2.3)
• >= 11.1.4, < 12.3.5 (fixed in 12.3.5)

Rapid7 customers

InsightVM and Nexpose customers who run CrushFTP on Linux can assess their exposure to the no-CVE unauthenticated HTTP(S) port access issue with a vulnerability check available in the Friday, March 21 content release.

InsightVM and Nexpose customers can assess their exposure to Next.js CVE-2025-29927 with a vulnerability check available in the March 25 content release.