Emergent Threat Response – Noise

React2Shell (CVE-2025-55182) – Critical unauthenticated RCE affecting React Server Components

Rapid7 — Thu, 04 Dec 2025 16:05:50 +0000

OverviewOn December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182, which has since been dubbed React2Shell. A second CVE identifier, CVE-2025-66478, was assigned and published to track the vulnerability in the context of Next.js. However ...

CVE-2025-64446: Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild

Rapid7 — Thu, 13 Nov 2025 21:36:27 +0000

OverviewOn October 6, 2025, the cyber deception company Defused published a proof-of-concept exploit on social media that was captured by one of their Fortinet FortiWeb Manager honeypots. FortiWeb is a Web Application Firewall (WAF) product that is des...

Ivanti Endpoint Manager Mobile exploit chain exploited in the wild

Ryan Emmons — Fri, 16 May 2025 11:00:20 +0000

On May 13, 2025, Ivanti disclosed an exploited in the wild exploit chain, comprising of two new vulnerabilities affecting Ivanti Endpoint Manager Mobile: CVE-2025-4427 and CVE-2025-4428.

CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

Stephen Fewer — Wed, 14 May 2025 14:59:20 +0000

On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple FortiNet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera.

Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324

Caitlin Condon — Mon, 28 Apr 2025 11:57:12 +0000

A critical SAP NetWeaver zero-day vulnerability (CVE-2025-31324) that allows for full SAP server compromise is being actively exploited in the wild.

Ivanti Connect Secure CVE-2025-22457 exploited in the wild

Ryan Emmons — Thu, 03 Apr 2025 18:50:02 +0000

On April 3, 2025, Ivanti disclosed CVE-2025-22457, a critical a stack-based buffer overflow vulnerability that allows for remote code execution on affected devices.

Multiple vulnerabilities in Ingress NGINX Controller for Kubernetes

Stephen Fewer — Tue, 25 Mar 2025 16:10:50 +0000

On March 24, 2025, Kubernetes disclosed 5 new vulnerabilities affecting the Ingress NGINX Controller for Kubernetes. Successful exploitation could allow attackers access to all secrets stored across all namespaces in the Kubernetes cluster, which could result in cluster takeover.

Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP

Calum Hutton — Tue, 25 Mar 2025 15:12:56 +0000

Rapid7 is warning customers of two notable vulnerabilities affecting Next.js (CVE-2025-29927) and file transfer software CrushFTP (no CVE).

Critical Veeam Backup & Replication CVE-2025-23120

Rapid7 — Wed, 19 Mar 2025 19:51:26 +0000

On Wednesday, March 19, 2025, backup and recovery software provider Veeam published a security advisory for a critical remote code execution vulnerability tracked as CVE-2025-23120. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices,

Apache Tomcat CVE-2025-24813: What You Need to Know

Caitlin Condon — Wed, 19 Mar 2025 17:40:52 +0000

Here at Rapid7, our usual bar for calling a vulnerability an emergent threat is either known exploitation at scale, or likelihood of exploitation at scale. Apache Tomcat CVE-2025-24813 fulfills neither of these criteria, despite a variety of news headlines alleging broad exploitation in the wild. Tomcat is widely deployed and

Multiple zero-day vulnerabilities in Broadcom VMware ESXi and other products

Stephen Fewer — Tue, 04 Mar 2025 17:00:13 +0000

On Tuesday, March 4, 2025, Broadcom published a critical security advisory (VMSA-2025-0004) on 3 new zero-day vulnerabilities affecting multiple VMware products, including ESXi, Workstation, and Fusion.

Fortinet firewalls hit with new zero-day attack, older data leak

Caitlin Condon — Thu, 16 Jan 2025 15:57:23 +0000

Rapid7 is responding to two separate events affecting Fortinet firewall customers: Zero-day exploitation of CVE-2024-55591 in FortiOS, and a large-scale data leak of older FortiGate firewall IPs, passwords, and configs.

CVE-2025-0282: Ivanti Connect Secure zero-day exploited in the wild

Caitlin Condon — Wed, 08 Jan 2025 18:13:13 +0000

Two stack-based buffer overflow issues were disclosed in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA. CVE-2025-0282, the more severe of the two issues, has been exploited in the wild against Ivanti Connect Secure devices.

Modular Java Backdoor Dropped in Cleo Exploitation Campaign

Christiaan Beek — Wed, 11 Dec 2024 18:44:06 +0000

While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload.

Widespread exploitation of Cleo file transfer software (CVE-2024-50623)

Rapid7 — Tue, 10 Dec 2024 14:04:17 +0000

On Monday, December 9, multiple security firms began privately circulating reports of in-the-wild exploitation targeting Cleo file transfer software. Late the evening of December 9, security firm Huntress published a blog on active exploitation of three different Cleo products (docs):

Cleo VLTrader, a server-side solution for “mid-enterprise organizations”
Cleo Harmony,

Zero-day exploitation targeting Palo Alto Networks firewall management interfaces

Caitlin Condon — Fri, 15 Nov 2024 12:44:09 +0000

Palo Alto Networks has indicated they are observing threat activity exploiting a zero-day unauthenticated remote command execution vulnerability in their firewall management interfaces.

Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks

Caitlin Condon — Wed, 23 Oct 2024 16:21:47 +0000

On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution.

Multiple Vulnerabilities in Common Unix Printing System (CUPS)

Rapid7 — Thu, 26 Sep 2024 22:48:34 +0000

Multiple unpatched vulnerabilities were publicly disclosed in the Common Unix Printing System (CUPS), a popular IPP-based open-source printing system.

High-risk vulnerabilities in common enterprise technologies

Rapid7 — Thu, 19 Sep 2024 20:45:57 +0000

Rapid7 is warning customers about high-risk vulnerabilities in Adobe ColdFusion, Broadcom VMware vCenter Server, and Ivanti Endpoint Manager (EPM). These CVEs are likely attack targets for APT and/or financially motivated adversaries.

CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting SonicWall Devices

Rapid7 — Mon, 09 Sep 2024 18:38:23 +0000

CVE-2024-40766 is a critical improper access control vulnerability affecting SonicOS, the operating system that runs on the company’s physical and virtual firewalls. As of September 9, 2024, Rapid7 is aware of several recent incidents in which SonicWall SSLVPN accounts were targeted or compromised.