rss-bridge 2025-10-07T08:18:46+00:00

CVEs Targeting Remote Access Technologies in 2025

The exploitation of vulnerabilities targeting remote access technologies to gain initial access is continuing relentlessly also during 2025, with initial access brokers, and in general opportunistic and targeted threat actors, quite active in leveraging software flaws to break into organizations.

---

- Post author:Paolo Passeri

- Post published:October 7, 2025

- Post category:Cyber Attacks Timelines / Security

- Post comments:0 Comments

- Reading time:1 min read

Last modified: October 7, 2025

[Image: View Paolo Passeri's LinkedIn profile]

Connect on Linkedin

[Image: Follow me on Twitter]

Follow me on X

[Image: Follow me on Bluesky]

Follow me on Bluesky

[Image: View Paolo Passeri's Mastdon profile]

Connect on Mastodon

Similarly to what i did in 2024, I am collecting the list of vulnerabilities targeting security technologies defending the perimeter, which have been exploited so far. As you will notice in the list, a good portion of them are 0-days discovered during 2025, but there are also some vulnerabilities that were disclosed (and patched) a few years ago, but are still exploited by threat actors, since they were left unpatched, an aspect that reinforces the importance of strong security procedures throughout the organization.

Distribution of Vulnerabilities by Vendor

No Data Found

Below the links to the vendors’ bulletins for the exploited vulnerabilities (whenever they were available)

https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

https://www.sonicwall.com/support/knowledge-base/product-notice-urgent-security-notification-sma-1000/250120090802840

https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/

https://community.sophos.com/b/security-blog/posts/advisory-buffer-overflow-vulnerability-in-user-portal

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003

https://security.paloaltonetworks.com/CVE-2025-0108

https://support.checkpoint.com/results/sk/sk182336

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US

https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0011

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788

https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018
https://psirt.global.sonicwall.com/vuln-detail/snwlid-2025-0011

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW

| 4
| 23/01/2025
| Between mid-2023 and at least mid-2024
| Between mid-2023 and at least mid-2024
| ?
| Organizations in the semiconductor, energy, manufacturing (marine, solar panels, heavy machinery), and IT sectors.
| Researchers at Black Lotus Labs discover a malicious campaign specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a “magic packet” in the network traffic.
| Malware
| Multiple Industries
| Cyber Crime
| >1
| Juniper

| 5
| 06/02/2025
| -
| -
| Unknown Threat Actor(s)
| Unknown Organization(s) in the U.S.
| The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
| Unknown
| Unknown
| Unknown
| US
| Sophos

| 7
| 12/02/2025
| -
| -
| ?
| Unknown Organization(s)
| SonicWall customers are advised to patch their products, after it emerged that threat actors are actively exploiting the CVE-2024-53704 vulnerability.
| Unknown
| Unknown
| Unknown
| Unknown
| Sonicwall

| 8
| 12/02/2025
| -
| -
| ?
| Unknown Organization(s)
| Palo Alto Networks customers are advised to patch their products, after it emerged that threat actors are actively exploiting the CVE-2025-0108 vulnerability, chained with CVE-2024-9474 and CVE-2025-0111.
| Unknown
| Unknown
| Unknown
| Unknown
| Palo Alto Networks

| 9
| 18/02/2025
| Between June and October 2024
| Between June and October 2024
| NailaoLocker
| European Organizations in the Healthcare Sector
| Researchers from Orange Cyberdefense reveal the details of Green Nailao, a previously unknown threat activity cluster targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, ShadowPad, with the intrusions ultimately leading to deployment of a ransomware called NailaoLocker.
| Ransomware
| Human health and social work
| Cyber Crime
| >1
| Check Point

| 10
| 21/02/2025
| Between June 2024 and January 2025
| Between June 2024 and January 2025
| APT41 (a.k.a. Winnti) suspected
| Manufacturers, particularly in the aviation and aerospace industries.
| Check Point researchers discover that APT41 exploited CVE-2024-24919, a path traversal vulnerability in their security gateways to gain initial access to dozens of OT organizations globally. The threat actors then deployed the modular ShadowPad backdoor to steal valuable intellectual property.
| Targeted Attack
| Manufacturing
| Cyber Espionage
| US
Europe
Middle East, Africa
| Check Point

| 11
| 13/03/2025
| Between late January and early March
| Between late January and early March
| Mora_001 (a possible Lockbit affiliate)
| Organizations using unpatched Fortinet devices (FortiOS and FortiProxy).
| Researchers at Forescout discover the "Mora_001" threat actor using a new ransomware, "SuperBlack," to exploit CVE-2024-55591 and CVE-2025-24472, two authentication bypass vulnerabilities in Fortinet devices. The attacks lead to data encryption and exfiltration.
| Ransomware
| Multiple Industries
| Cyber Crime
| US
| Fortinet

| 12
| 28/03/2025
| Late 2024 and eaarly 2025
| January 2025
| Suspected China-nexus espionage actors, UNC5337 and UNC5221, and Chinese state-backed threat group Silk Typhoon (formerly Hafnium).
| Critical infrastructure organizations, as well as a broad range of sectors including government, defense, finance, and technology
| CISA discover the RESURGE malware while analyzing a compromised Ivanti Connect Secure device. The malware, a variant of the SPAWN family, creates web shells, steals credentials, and maintains persistent access.
| Cyber Espionage
| Multiple Industries
| Cyber Espionage
| US
| Ivanti

| 15
| 16/04/2025
| -
| -
| Unknown Threat Actor(s)
| Unknown Organization(s) in the U.S.
| The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CVE-2021-20035, a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
| Unknown
| Unknown
| Unknown
| US
| Sonicwall

| 19
| 10/07/2025
| -
| -
| Unknown Threat Actor(s)
| Unknown Organization(s) in the U.S.
| The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CVE-2025-5777, a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming the vulnerability has been weaponized in the wild.
| Unknown
| Unknown
| Unknown
| US
| Citrix

| 20
| 16/07/2025
| Since at least October 2024
| January 2025
| UNC6148 (Financially motivated threat actor, potentially linked to Abyss-branded ransomware)
| Multiple Organizations
| Researchers at Google Threat Intelligence Group discover UNC6148 deploying the OVERSTEP rootkit on end-of-life SonicWall SMA 100 devices since at least October 2024. The financially motivated group uses stolen credentials and vulnerabilities to gain persistent access, steal sensitive credentials, and exfiltrate data for extortion.
| Targeted Attack
| Multiple Industries
| Cyber Crime
| >1
| Sonicwall

| 21
| 02/08/2025
| 22/07/2025
| 22/07/2025
| Akira
| Multiple Organizations
| Researchers at Arctic Wolf observe an uptick in Akira ransomware activity starting in late July 2025. The attacks target organizations' SonicWall SSL VPN for initial access, possibly exploiting a known vulnerability (CVE-2024-40766). The firm urges organizations to disable unused VPNs and enforce MFA.
| Ransomware
| Multiple Industries
| Cyber Crime
| >1
| Sonicwall

| 22
| 26/08/2025
| -
| -
| ?
| Unknown Organization(s)
| Citrix patches three critical NetScaler ADC/Gateway flaws, including CVE-2025-7775, a Remote Code Execution bug actively exploited in the wild, prompting CISA to add the flaw to its KEV catalog, urging immediate patching.
| Unknown
| Unknown
| Unknown
| Unknown
| Citrix

| 23
| 25/09/2025
| -
| -
| ?
| Unknown Organization(s)
| Cisco urges customers to patch CVE-2025-20333 and CVE-2025-20362, two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild.
| Unknown
| Unknown
| Unknown
| Unknown
| Cisco

BE NOTIFIED OF NEW POSTS

SUPPORT MY WORK!
MAKE A DONATION

Creating the timelines is a very time-consuming task.

Any little helps!