Exposures, Exposed! Weekly Round-up February 23 – March 2

Enter the realm of 'Exposures, Exposed!' - your weekly guide to expert insights into the constantly evolving realm of cyber vulnerabilities. Our team dives deep into the cybersecurity abyss, curating the most recent and most relevant exposure incidents for you each week.

Here's what we’ve got for you this week:

Report Finds Widespread Open-Source Vulnerabilities in Codebases??

A 2024 analysis of 965 commercial codebases across 16 industries found that 86% contained open-source vulnerabilities, with 81% classified as high or critical risks. The analysis also found that 90% of audited codebases included open-source components more than four years old.??

The number of open-source files in an average application tripled in the last four years, reaching over 16,000 in 2024. jQuery accounted for eight of the top ten high-risk vulnerabilities, appearing in 43% of scanned applications.? The analysis also found 56% of codebases contained licensing conflicts, often caused by transitive dependencies.?

The Takeaway: Organizations should implement continuous scanning to identify vulnerabilities and licensing conflicts before deployment. Learn more here.

Palo Alto Networks Warns of Exploited Firewall Vulnerabilities

Palo Alto Networks reported active exploitation of an exploit chain involving CVE-2025-0111, CVE-2025-0108, and CVE-2024-9474 in its PAN-OS firewall management interfaces. The company rated CVE-2025-0111 as the highest urgency level and urged customers to disable internet access to the PAN-OS web management interface.

Attackers have used CVE-2025-0108, a zero-day, in combination with CVE-2024-9474 and CVE-2025-0111 to gain unauthorized access. Palo Alto Networks confirmed limited exploitation and continues to monitor affected systems.

CISA added CVE-2025-0111 to its Known Exploited Vulnerabilities list, requiring federal agencies to implement mitigations by March 13. Palo Alto Networks credited security researchers émilio Gonzalez and Maxime Gaudreault for reporting CVE-2025-0111.

The Takeaway: Customers must apply patches for CVE-2025-0108 and CVE-2025-0111 immediately to prevent security risks. Learn more here.

Microsoft Releases Security Updates for 67 Vulnerabilities

Microsoft has issued security updates addressing 67 vulnerabilities in its February 2025 Patch Tuesday release. Among these are four zero-day flaws and three critical vulnerabilities affecting various Windows components and Microsoft Surface devices.

The most common exploitation method this month is remote code execution, accounting for 42% of vulnerabilities, followed by elevation of privilege at 32%. Microsoft Windows received 37 patches, with Extended Security Update (ESU) at 23 and Mariner (Azure Linux distribution) at 12.

One actively exploited zero-day, CVE-2025-21418, affects Windows Ancillary Function Driver, allowing SYSTEM privilege escalation. Another, CVE-2025-21391, impacts Windows Storage and enables file deletion.

Critical vulnerabilities include CVE-2025-21376 in LDAP, CVE-2025-21381 in Microsoft Excel, and CVE-2025-21379 in the DHCP Client Service.

The Takeaway: Organizations should prioritize patching critical vulnerabilities and zero-days to mitigate security risks. Learn more here.

Attackers Exploit Cisco Vulnerabilities in Salt Typhoon Campaign

Researchers detected exploitation of two Cisco vulnerabilities, CVE-2018-0171 and CVE-2023-20198, in recent attacks. Cisco Talos confirmed the China-backed Salt Typhoon threat group used CVE-2018-0171, a flaw in the Smart Install feature of Cisco IOS and IOS XE, between December 2024 and January 2025.

Recorded Future’s Insikt Group reported Salt Typhoon targeted telecom providers using CVE-2023-20198 and CVE-2023-20273 to gain initial access. Researchers identified 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, exploiting CVE-2023-20198. The company did not attribute these attacks to Salt Typhoon but noted an overlap in threat activity.

The Takeaway: Organizations should patch affected Cisco devices immediately to mitigate security risks. Learn more here.

Researchers Identify Security Risks in Windows CE Systems

Researchers have identified security risks in the Windows CE operating system, which is widely used in industrial and embedded systems, including HMI panels, vending machines, and vehicle infotainment systems. Their analysis uncovered multiple attack vectors that could allow unauthorized access or remote code execution.

In the first of a four-part series, the researchers examined Windows CE’s role in ICS and SCADA environments, highlighting vulnerabilities in its native development frameworks. Researchers detailed how attackers could manipulate application behavior and demonstrated techniques for developing applications within Windows CE using Visual Studio 2005.

Windows CE remains common in industrial settings due to its flexibility and ease of configuration. The analysts emphasized that its security flaws present challenges for organizations relying on the operating system in critical infrastructure.

The Takeaway: Organizations using Windows CE should evaluate their security posture and consider mitigation strategies. Learn more here.

CISA Adds Oracle Agile PLM Flaw to KEV Catalog

CISA has added CVE-2024-20953, a high-severity deserialization vulnerability in Oracle Agile Product Lifecycle Management (PLM) software, to its Known Exploited Vulnerabilities catalog. Oracle patched the flaw in January 2024. The vulnerability allows a low-privileged attacker to execute arbitrary code through the ExportServlet component.

Trend Micro’s Zero Day Initiative reported the flaw to Oracle and described it as a validation issue that enables the deserialization of untrusted data. While no public reports detail active exploitation, the vulnerability likely facilitates follow-up attacks after initial system access.

In November 2024, Oracle also flagged CVE-2024-21287 as exploited. Unlike CVE-2024-20953, it requires no authentication and exposes critical data. CISA has directed federal agencies to patch CVE-2024-20953 by March 17.

The Takeaway: Organizations using Oracle Agile PLM should apply patches immediately to prevent exploitation. Learn more here.

Researchers Release Exploit for Ivanti Endpoint Manager Flaws

Researchers have released a proof-of-concept exploit for four critical vulnerabilities in Ivanti Endpoint Manager. The flaws, CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, allow remote attackers to exploit machine account credentials and potentially compromise the Endpoint Manager server.

These path traversal vulnerabilities, disclosed to Ivanti in October 2024, could expose sensitive data. Ivanti released fixes in January 2025 and advised customers to apply patches immediately. Although no active exploitation has been reported, the release of the exploit increases the risk.

Ivanti Endpoint Manager has been targeted in past attacks. Organizations must upgrade to EPM 2024 January-2025 Security Update or EPM 2022 SU6 January-2025 Security Update to ensure protection.

The Takeaway: Organizations using Ivanti Endpoint Manager must apply the latest security updates immediately. Learn more here.

That’s all for this week – have any exposures to add to our list? Let us know!