Emergent Threats

Ivanti Endpoint Manager Mobile exploit chain exploited in the wild

On May 13, 2025, Ivanti disclosed an exploited in the wild exploit chain, comprising of two new vulnerabilities affecting Ivanti Endpoint Manager Mobile: CVE-2025-4427 and CVE-2025-4428.

Read Now 2m

CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple FortiNet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera.

Read Now 2m

Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324

A critical SAP NetWeaver zero-day vulnerability (CVE-2025-31324) that allows for full SAP server compromise is being actively exploited in the wild.

Read Now 3m

Ivanti Connect Secure CVE-2025-22457 exploited in the wild

On April 3, 2025, Ivanti disclosed CVE-2025-22457, a critical a stack-based buffer overflow vulnerability that allows for remote code execution on affected devices.

Read Now 2m

Multiple vulnerabilities in Ingress NGINX Controller for Kubernetes

On March 24, 2025, Kubernetes disclosed 5 new vulnerabilities affecting the Ingress NGINX Controller for Kubernetes. Successful exploitation could allow attackers access to all secrets stored across all namespaces in the Kubernetes cluster, which could result in cluster takeover.

Read Now 3m

Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP

Rapid7 is warning customers of two notable vulnerabilities affecting Next.js (CVE-2025-29927) and file transfer software CrushFTP (no CVE).

Read Now 4m

Critical Veeam Backup & Replication CVE-2025-23120

Update Friday, March 28, 2025: Security researchers at CODE WHITE GmbH have noted on social media that it is possible to bypass the patch [https://infosec.exchange/@codewhitesec/114241026482611250] for CVE-2025-23120. Rapid7 has not directly confirmed the patch bypass, but we are relatively confident in the validity of the finding. Customers should ensure Veeam Backup & Replication is not internet-facing as an urgent priority. On Wednesday, March 19, 2025, backup and recovery software provider

Read Now 2m

Apache Tomcat CVE-2025-24813: What You Need to Know

Here at Rapid7, our usual bar for calling a vulnerability an emergent threat is either known exploitation at scale, or likelihood of exploitation at scale. Apache Tomcat CVE-2025-24813 [https://attackerkb.com/topics/4GajxQH17l/cve-2025-24813] fulfills neither of these criteria, despite a variety of news headlines alleging broad exploitation in the wild. Tomcat is widely deployed and has seen a number of severe vulnerabilities over the years that have had specific configuration dependencies for s

Read Now 3m

Multiple Zero-Day Vulnerabilities in Broadcom VMware ESXi and Other Products

On Tuesday, March 4, 2025, Broadcom published a critical security advisory (VMSA-2025-0004) on 3 new zero-day vulnerabilities affecting multiple VMware products, including ESXi, Workstation, and Fusion.

Read Now 2m

Fortinet Firewalls Hit with New Zero-Day Attack, Older Data Leak

Rapid7 is responding to two separate events affecting Fortinet firewall customers: Zero-day exploitation of CVE-2024-55591 in FortiOS, and a large-scale data leak of older FortiGate firewall IPs, passwords, and configs.

Read Now 4m

CVE-2025-0282: Ivanti Connect Secure Zero-Day Exploited in the Wild

Two stack-based buffer overflow issues were disclosed in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA. CVE-2025-0282, the more severe of the two issues, has been exploited in the wild against Ivanti Connect Secure devices.

Read Now 2m

Modular Java Backdoor Dropped in Cleo Exploitation Campaign

While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload.

Read Now 10m

Widespread Exploitation of Cleo File Transfer Software (CVE-2024-55956)

On Monday, December 9, multiple security firms began privately circulating reports of in-the-wild exploitation targeting Cleo file transfer software. Late the evening of December 9, security firm Huntress published a blog [https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild] on active exploitation of three different Cleo products (docs [https://cleo-infoeng.s3.us-east-2.amazonaws.com/PDF/Harmony/5.8/Harmony_58_UserGuide_053123.pdf] ): *

Read Now 6m

Zero-Day Exploitation Targeting Palo Alto Networks Firewall Management Interfaces

Palo Alto Networks has indicated they are observing threat activity exploiting a zero-day unauthenticated remote command execution vulnerability in their firewall management interfaces.

Read Now 3m

Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks

On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution.

Read Now 3m