Overview

Cyble’s weekly vulnerability insights to clients cover key vulnerabilities discovered between January 22 and January 28, 2025. The findings highlight a range of vulnerabilities across various platforms, including critical issues that are already being actively exploited.

Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to their Known Exploited Vulnerability (KEV) catalog this week. Among these, the zero-day vulnerability CVE-2025-23006 stands out as a critical threat affecting SonicWall’s SMA1000 appliances.

In this week’s analysis, Cyble delves into multiple vulnerabilities across widely used software tools and plugins, with particular attention to SimpleHelp remote support software, Ivanti’s Cloud Services Appliance, and issues within RealHome’s WordPress theme. As always, Cyble has also tracked underground activity, providing insights into Proof of Concepts (POCs) circulating among cyber criminals.

Weekly Vulnerability Insights

1. CVE-2025-23006 – SonicWall SMA1000 Appliances (Critical Zero-Day Vulnerability)

A severe deserialization vulnerability in SonicWall’s SMA1000 series appliances has been identified as a zero-day, impacting systems that are not yet patched. With a CVSSv3 score of 9.8, this vulnerability is critical and allows remote attackers to exploit deserialization flaws, leading to the potential execution of arbitrary code.

This vulnerability was added to the KEV catalog by CISA on January 23, 2025, marking it as actively exploited in the wild. Organizations using SMA1000 appliances should prioritize patching as soon as an official update becomes available.

2. SimpleHelp Remote Support Software Vulnerabilities (Critical and High Severity)

Three vulnerabilities were discovered in SimpleHelp’s remote support software, used by IT professionals for remote customer assistance. These flaws include:

1. CVE-2024-57726: A privilege escalation vulnerability that allows unauthorized users to gain administrative access due to insufficient backend authorization checks.
2. CVE-2024-57727: A path traversal vulnerability that could expose sensitive configuration files, including those containing hashed passwords.
3. CVE-2024-57728: An arbitrary code execution vulnerability that can be exploited by attackers with administrative access to upload malicious files to the server.

These vulnerabilities pose considerable risks to users of SimpleHelp, potentially leading to unauthorized access or full system compromise. The vulnerabilities have been confirmed to be actively exploited, with proof-of-concept code already circulating in underground forums.

3. CVE-2024-8963 – Ivanti Cloud Services Appliance (Critical Administrative Bypass)

Ivanti’s Cloud Services Appliance (CSA) suffers from multiple vulnerabilities that have been chained by threat actors to gain initial access and implant malicious code. The most critical issue is CVE-2024-8963, an administrative bypass flaw that allows unauthenticated attackers to exploit other vulnerabilities in the appliance. Other related flaws include:

1. CVE-2024-9379: SQL injection vulnerability that permits remote attackers to execute arbitrary SQL commands.
2. CVE-2024-8190 and CVE-2024-9380: Remote code execution vulnerabilities, allowing attackers to run arbitrary code on vulnerable systems.

The severity of these vulnerabilities has prompted both CISA and the FBI to issue warnings about their active exploitation. Despite patches being available since September 2024, the ongoing exploitation of these vulnerabilities highlights the urgency of updating and patching vulnerable systems.

4. CVE-2024-32444 – RealHome WordPress Theme (Critical Privilege Escalation)

A critical privilege escalation vulnerability in the RealHome WordPress theme allows attackers to register as administrators on affected sites. This flaw enables them to take full control over websites, compromising sensitive data and content. As of January 2025, no patch has been released for this vulnerability, leaving many WordPress sites exposed.

5. CVE-2025-24085 – Apple iOS and macOS (Use-After-Free Zero-Day Vulnerability)

Apple’s iOS and macOS systems are affected by a use-after-free vulnerability in the Core Media component. This zero-day flaw, which has a CVSS score of 7.8, could allow attackers to execute arbitrary code with elevated privileges on affected devices running versions prior to iOS 17.2. While no public exploit code has been observed, the vulnerability remains a serious risk for iOS and macOS users.

Vulnerabilities Under Active Exploitation

Several vulnerabilities continue to be actively exploited, especially in high-value systems used by organizations worldwide. Among them are:

• CVE-2024-38063: A critical Remote Code Execution (RCE) vulnerability in Windows TCP/IP, triggered by a flaw in IPv6 packet handling. This issue allows attackers to execute arbitrary code remotely, with no user interaction required, making it a “zero-click” vulnerability.
• CVE-2024-55591: A critical authentication bypass vulnerability affecting FortiOS and FortiProxy versions 7.0.0 through 7.2.12. Attackers exploiting this flaw can bypass authentication mechanisms and gain unauthorized access to affected systems.
• CVE-2023-32315: This vulnerability affects Ignite Realtime’s Openfire server, allowing unauthenticated attackers to perform path traversal and gain access to sensitive server files.

Cyble also noted a significant incident involving CVE-2025-0411, a critical vulnerability in 7-Zip that allows remote attackers to execute arbitrary code. Proof of concept for this flaw was shared on deep web forums, signaling increased interest among cyber criminals.

Underground Activity and Exploitation Trends

Cyble Research tracked discussions of known vulnerabilities across underground forums and Telegram channels. The most notable trends include:

• CVE-2025-0411 (7-Zip): This flaw has been weaponized and is being sold on underground forums. Attackers can use it to execute arbitrary code on vulnerable systems.
• CVE-2024-38063 (Windows TCP/IP): Exploit code for this vulnerability has circulated among threat actors, enabling them to remotely execute code on systems with vulnerable TCP/IP stacks.
• CVE-2023-32315 (Openfire Server): Malicious actors are actively discussing how to exploit this path traversal flaw to gain unauthorized access to server environments.

Recommendations for Mitigating Exploitation Risks

To mitigate the risks posed by these vulnerabilities, Cyble offers the following recommendations:

1. Regularly update all software and hardware systems with the latest patches from official vendors. Immediate patching of known exploited vulnerabilities, such as those listed in the KEV catalog, is critical.
2. Use network segmentation to limit the exposure of critical systems to the internet. This reduces the potential attack surface and helps contain breaches if they occur.
3. Implement a robust incident response plan, testing it regularly to ensure it aligns with emerging threats. Ensure that your organization is prepared to act quickly in the event of an attack.
4. Educate employees and administrators on the latest phishing and social engineering tactics and how to recognize malicious activities on their networks.
5. Enforce MFA across all sensitive systems to add an extra layer of protection against unauthorized access.

Conclusion

This week’s Weekly Vulnerability Insights report highlights the continued risks associated with high-severity vulnerabilities and emphasizes the importance of patching, monitoring, and threat intelligence sharing. Organizations must remain vigilant and ensure their systems are protected from known exploited vulnerabilities and emerging zero-day threats. Cyble’s AI-driven platforms, like Cyble Vision and Cyble Hawk, help organizations stay ahead of evolving threats. Book a free demo today and strengthen your defense against cyber adversaries with Cyble’s cutting-edge cybersecurity solutions.

To access full IT vulnerability and other reports from Cyble, click here.

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.