Vulnerability Report - March 2025
Introduction
This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.
It highlights the most frequently mentioned vulnerability for March 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.
The final section focuses on exploitations observed through The Shadowserver Foundation’s honeypot network.
March at a glance
Sightings repartition per day
Repartition of all type of sightings per day for the month of March.
Top 5 Vulnerabilities evolution
For more detailed information, check out the Vulnerability-Lookup dashboard:
https://vulnerability.circl.lu
Top 15 vulnerabilities of the month
Evolution per week
Week 10
Ranking
CVE-2025-25012 has been reserved and is pending publication.
Insights from contributors
- VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)
- StopRansomware: Ghost (Cring) Ransomware | CISA
Week 11
Ranking
Insights from contributors
Week 12
Ranking
| Vulnerability | Vendor | Product | Count | Severity |
|---|---|---|---|---|
| CVE-2025-29927 | vercel | next.js | 68 | 9.1 |
| CVE-2025-24813 | Apache Software Foundation | Apache Tomcat | 66 | 9.2 |
| CVE-2025-30066 | tj-actions | changed-files | 51 | 8.6 |
| CVE-2025-23120 | Veeam | Backup and Recovery | 48 | 9.9 |
| CVE-2024-27564 | dirk1983 | mm1.ltd source code | 27 | 5.8 |
| CVE-2024-48248 | Backup & Replication Director | 22 | 8.6 | |
| CVE-2024-54471 | NAKIVO | 22 | 5.5 | |
| CVE-2024-9956 | Chrome | 19 | 7.8 | |
| CVE-2025-24472 | Fortinet | FortiOS | 17 | 8.1 |
| CVE-2024-4577 | PHP Group | PHP | 17 | 9.8 |
| CVE-2025-2129 | Mage AI | 17 | 6.3 | |
| CVE-2025-0108 | Palo Alto Networks | Cloud NGFW | 15 | 8.8 |
| CVE-2025-1316 | Edimax | IC-7100 IP Camera | 14 | 9.3 |
| CVE-2017-18368 | ZyXEL | p660hn-t1a_v1, p660hn-t1a_v2, 5200w-t | 14 | 9.8 |
| CVE-2015-2051 | dlink | dir-645 | 14 | 8.8 |
Week 13
Ranking
Insights from contributors
- Ingress NGINX Controller for Kubernetes - Vulnerabilities fixed in controller-v1.12.1
- Kaspersky - Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain
Continuous exploitation
The sightings used for this analysis were mainly collected through The Shadowserver Foundation’s honeypot network.
CVE-2024-4577 - PHP Group / PHP
Total of 180 sightings from 2024-06-12 (sighting type: seen from MISP) to 2025-03-30 (sighting type: exploited from The Shadowserver Foundation).
Mentioned in the bundle People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations created on 2024-09-24.
MISP related events:
- 3714e52f-0f9a-5bbd-a430-7051c621dd44 (2025-03-25)
- a1e796df-2ad8-4c8d-8b69-737a004e72dd (2025-02-23)
- 3c19819c-1dac-4ef2-bfed-be5efa7e0123 (2025-02-23)
- 3c19819c-1dac-4ef2-bfed-be5efa7e0123 (first sighting, 2024-06-12)
CVE-2021-44228 - Apache Software Foundation / Apache Log4j2
Total of 198 sightings from 2021-12-12 (sighting type: seen from Microsoft Blog) to 2025-03-30 (sighting type: exploited from The Shadowserver Foundation).
Mentioned in bundles:
Thank you
Thank you to all the contributors and our diverse sources!
If you want to contribute to the next report, you can create your account.
Feedback and Support
If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/