Blog
Flashpoint Weekly Vulnerability Insights and Prioritization Report
Week of March 10, 2025
Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization.
Table Of Contents
The use of vulnerabilities as an initial access vector in threat actor campaigns is up by 180%, which means that it is more imperative than ever to build an effective prioritization plan. In this ongoing series, we dive into the vulnerabilities Flashpoint has identified as high priority, why they should be of focus, as well as provide analysis to help organizations make faster prioritization decisions for more-effective remediation.
With new vulnerability exploits and zero-days being discovered every day, having a proactive vulnerability management strategy is critical. By using this weekly report, security teams can adopt an intelligence-led approach for patch management—allowing organizations to implement timely remediation through comprehensive vulnerability intelligence.
Key Vulnerabilities:
Week of March 10, 2025
Foundational Prioritization
Of the vulnerabilities Flashpoint published this week, there are 106 that you can take immediate action on. They each have a solution, a public exploit exists, and are remotely exploitable. As such, these vulnerabilities are a great place to begin your prioritization efforts.
Diving Deeper – Urgent Vulnerabilities
Of the vulnerabilities Flashpoint published last week, four are highlighted in this week’s Vulnerability Insights and Prioritization Report because they all:
- Are in widely used products and are potentially enterprise-affecting
- Are exploited in the wild or have exploits available
- Allow full system compromise
- Can be exploited via the network alone or in combination with other vulnerabilities
- Have a solution to take action on
In addition, all of these vulnerabilities are easily discoverable and therefore should be investigated and fixed immediately.
To proactively address these vulnerabilities and ensure comprehensive coverage beyond publicly available sources on an ongoing basis, organizations can leverage Flashpoint Vulnerability Intelligence. Flashpoint provides comprehensive coverage encompassing IT, OT, IoT, CoTs, and open-source libraries and dependencies. It catalogs over 100,000 vulnerabilities that are not included in the NVD or lack a CVE ID, ensuring thorough coverage beyond publicly available sources. The vulnerabilities that are not covered by the NVD do not yet have CVE ID assigned and will be noted with a VulnDB ID.
| CVE ID | Title | CVSS Scores (v2, v3, v4) | Exploit Status | Exploit Consequence | Ransomware Likelihood Score | Social Risk Score | Solution Availability |
| CVE-2024-56196 | Apache Traffic Server proxy/http/remap/UrlRewrite.cc Older Version Incompatible ACLs Unspecified Remote Issue | 10.0 9.8 9.2 | Private | Unspecified Impact | High | Low | Yes |
| CVE-2025-27554 | ToDesktop Deployment Handling Firebase Admin Key Disclosure | 10.0 10.0 10.0 | Private | Remote Code Injection | High | Low | Yes |
| CVE-2025-22224 | VMware ESXi / Workstation VMCI Unspecified Time-of-Check Time-of-Use (TOCTOU) Race Condition Guest-to-Host Heap Buffer Overflow | 7.4 8.8 9.3 | Exploited in the Wild | Arbitrary Code Execution | High | Low | Yes |
| CVE-2025-1393 | Weidmueller PROCON-WIN Unspecified Hard-Coded Credentials | 10.0 9.8 9.3 | Private | Gained Privilege Access | High | Low | Yes |
NOTES: The severity of a given vulnerability score can change whenever new information becomes available. Flashpoint maintains its vulnerability database with the most recent and relevant information available. Login to view more vulnerability metadata and for the most up-to-date information.
CVSS scores: Our analysts calculate, and if needed, adjust NVD’s original CVSS scores based on new information being available.
Social Risk Score: Flashpoint estimates how much attention a vulnerability receives on social media. Increased mentions and discussions elevate the Social Risk Score, indicating a higher likelihood of exploitation. The score considers factors like post volume and authors, and decreases as the vulnerability’s relevance diminishes.
Ransomware Likelihood: This score is a rating that estimates the similarity between a vulnerability and those known to be used in ransomware attacks. As we learn more information about a vulnerability (e.g. exploitation method, technology affected) and uncover additional vulnerabilities used in ransomware attacks, this rating can change.
Flashpoint Ignite lays all of these components out. Below is an example of what this vulnerability record for Apache Traffic Server looks like.
This record provides additional metadata like affected product versions, MITRE ATT&CK mapping, analyst notes, solution description, classifications, vulnerability timeline and exposure metrics, exploit references and more.
Analyst Comments on the Notable Vulnerabilities
Below, Flashpoint analysts describe the four vulnerabilities highlighted above as vulnerabilities that should be of focus for remediation if your organization is exposed.
CVE-2024-56196
CVE-2024-56196 describes a flaw in Apache Traffic Server. The flaw resides in proxy/HTTP/remap/UrlRewrite.cc and is triggered when the access control list (ACL) is not fully compatible with legacy versions. This may allow a remote attacker to have an unspecified impact. The core problem lies in inconsistencies when ACL configurations from older Apache Traffic Server versions are used in newer versions. This can lead to access controls not being enforced as intended, creating potential security gaps.
Essentially, the vulnerability means that if a system is upgraded without proper attention to the ACL configurations, there is a risk that previously blocked IP ranges might become accessible or legitimate traffic might be inadvertently blocked. This discrepancy in ACL handling between versions poses a risk of unauthorized access or disruptions to network traffic. To mitigate this, Apache has released updates and recommends that users update to version 10.0.4 to fix the issue.
CVE-2025-27554
CVE-2025-27554 is related to the deployment handling that may allow a remote attacker to disclose a hard-coded Firebase admin key from the config.prod.json file on the build server and subsequently deploy updates to any application handled in the database and inject and execute arbitrary code in client applications. The vendor has released a patch to address this vulnerability. There are no known workarounds or upgrades to correct this issue. Please note that this issue is not a vulnerability in the ToDesktop application but in the build server and deployment architecture that allows access to the vendor’s Firebase database. It is reported to affect multiple applications, such as ClickUp, Cursor, Linear, and Notion Calendar.
CVE-2025-22224
CVE-2025-22224 is a vulnerability found in VMware. VMware ESXi and Workstation contain an unspecified overflow condition related to the VMCI (VMware Virtual Machine Communication Interface) component triggered by a time-of-check time-of-use (TOCTOU) race condition. This may allow an attacker on a virtual machine to cause a heap-based buffer overflow, resulting in a denial of service or allowing the execution of arbitrary code as the virtual machine’s VMX process running on the host. This vulnerability may only be exploited by an attacker with at least admin privileges on a virtual machine. As of March 4, 2025, this has been reported as being exploited in the wild. Please refer to the product listing for upgraded versions that address this vulnerability.
CVE-2025-1393
CVE-2025-1393 Weidmueller PROCON-WIN uses unspecified hard-coded credentials. This allows a remote attacker to trivially gain privileged access to the application. This type of vulnerability is particularly dangerous because it removes the need for complex hacking techniques. An attacker simply needs to know the default credentials, which are often publicly available or easily discoverable. Please refer to the product listing for upgraded versions that address this vulnerability.
Previously Highlighted Vulnerabilities
| CVE/VulnDB ID | Name/Title | Flashpoint Published Date |
| CVE-2025-21218 | Microsoft Windows Kerberos Unspecified Application Handling Resource Consumption Remote DoS | Week of January 15, 2025 |
| CVE-2024-57811 | Eaton XC-303 Hardcoded Credentials | Week of January 15, 2025 |
| CVE-2024-55591 | Fortinet FortiOS (FortiGate) / FortiProxy Node.js WebSocket Module Improper Authentication Remote Authentication Bypass | Week of January 15, 2025 |
| CVE-2025-23006 | SonicWall SMA1000 Unspecified Insecure Deserialization | Week of January 22, 2025 |
| CVE-2025-20156 | Cisco Meeting Management (CMM) Unspecified REST API Endpoint Improper Authorization API Request Handling | Week of January 22, 2025 |
| CVE-2024-50664 | GPAC isomedia/sample_descs.c gf_isom_new_mpha_description() Function MPEGH Audio Configuration Handling Heap Buffer Overflow | Week of January 22, 2025 |
| CVE-2025-24085 | Apple Multiple Products CoreMedia Unspecified Use-After-Free | Week of January 29, 2025 |
| CVE-2024-40890 | Zyxel Multiple Products HTTP Unspecified Remote Command Execution | Week of January 29, 2025 |
| CVE-2024-40891 | Zyxel Multiple Products Telnet Unspecified Remote Command Execution | Week of January 29, 2025 |
| VulnDB ID: 389414 | uniapi Package for Python __init__.py Malicious Code Remote Code Execution | Week of January 29, 2025 |
| CVE-2025-25181 | Advantive VeraCore v5fmsnet/common/timeoutWarning.asp PmSess1 Parameter SQL Injection | Week of February 5, 2025 |
| CVE-2024-40890 | WhoDB /db.go DB_FILE Parameter Path Traversal Remote File Manipulation | Week of February 5, 2025 |
| CVE-2024-40891 | deep-diver LLM-As-Chatbot global_vars.py load_model() Function File Upload | Week of February 5, 2025 |
| CVE-2024-8266 | GitLab Improper Privilege Handling Remote Cross-user Pipeline Triggering | Week of February 12, 2025 |
| CVE-2025-0108 | Palo Alto PAN-OS Management Web Interface Improper URL Normalization | Week of February 12, 2025 |
| CVE-2025-24472 | Fortinet FortiOS (FortiGate) / FortiProxy CSF Proxy Request Handling | Week of February 12, 2025 |
| CVE-2025-21355 | Microsoft Bing Unspecified Missing Authentication Remote Code Execution | Week of February 24, 2025 |
| CVE-2025-26613 | WeGIA gerenciar_backup.php file Parameter Remote OS Command Injection | Week of February 24, 2025 |
| CVE-2024-13789 | Ravpage Plugin for WordPress ravpage.php paramsv2 Parameter Insecure Deserialization PHP Object Injection Remote Code Execution | Week of February 24, 2025 |
| CVE-2025-1539 | D-Link DAP-1320 /storagein.pd-XXXXXX replace_special_char() Function URI Remote | Week of February 24, 2025 |
| CVE-2025-27364 | MITRE Caldera Manx / Sandcat Plugins HTTP Header Linker Argument Injection | Week of March 3, 2025 |
| CVE-2025-27140 | WeGIA /html/configuracao/importar_dump.php filename Parameter Remote OS Command Injection | Week of March 3, 2025 |
| CVE-2025-27135 | RAGFlow ExeSQL Class Unspecified SQL Injection | Week of March 3, 2025 |
| CVE-2024-8420 | DHVC Form Plugin for WordPress Registration Role Field Manipulation | Week of March 3, 2025 |
Transform Vulnerability Management with Flashpoint
Fill out the form to the left to subscribe to our newsletter, which features Flashpoint’s leading data and intelligence. Request a demo today to see how Flashpoint can transform your vulnerability management and exposure identification program.