April 2025 Threat Report: The Consequences Are Real

In the early days of digital, hacking was often fame or prank driven. Fast forward to 2025; hacking has been widely monetized for illicit gains. Cybercrime is predicted to cost the global economy 10.5 trillion Dollar in 2025. Globally, the trend of increasing geocriminality is pushing individual countries and entire economic regions [1][2] to make deeper commitments to cyber defenses. An accelerating threat environment underscores the urgency for proactive, well-funded cybersecurity strategies across all sectors, in all regions of the world.

The continuous deluge of critical vulnerabilities, novel attack techniques, active ransomware and espionage campaigns signal the need for comprehensive cybersecurity measures to prevent the most catastrophic consequences. In this month’s threat report, we will review the post pressing threats from the cybersecurity landscape that emerged in April 2025. Without further ado, let’s get started!

Considering the Consequences

Dire consequences loom for those unprepared to weather sophisticated cyber attacks. Ransomware is widely considered the biggest existential cyber threat business, but data breach lawsuits are escalating dramatically. Breach related class action filings have risen more than 1,265% over six years, with filings in the U.S. more than doubling from 604 in 2022 to 1,320 in 2023. Robust backups can help a victim escape paying ransom, and a well executed incident response plan may minimize downtime, but breach victims have little recourse from costs related to regulatory or legal action.

Equifax’s 2019 settlements are the highest in history for a cybersecurity-related incident – with a total cost estimated at 1.5 billion Dollar. Failure to patch CVE-2017-5638 in Apache Struts, was implicated as the root cause of the breach. In April 2025, U.S. defense contractor Raytheon agreed to pay an 8.5 million Dollar settlement for failing to implement required security measures for 29 of their Department of Defense (DoD) contracts.

Healthcare providers are especially hard-hit because personal healthcare information fetches roughly 1,000 Dollar per record on darkweb marketplaces, compared to 5 Dollar per record for payment card data due to its effective use in identifying fraud. In 2023, the U.S. healthcare sector reported 725 data breaches, exposing over 133 million records. Most recently, on April 23, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a 600,000 Dollar settlement with PIH Health, Inc. due to inadequate technical safeguards. However, legal consequences for cyber breaches are impacting organizations across all industries. Data breach-related securities class actions have also seen substantial settlements, with three of the top ten largest settlements occurring in 2024, totaling 560 million Dollar.

Considering the consequences, organizations should carefully assess their posture to cyber hygiene, paying special attention to core IT security best practices such as implementing multi-factor authentication (MFA), vulnerability management and network segmentation.

Verizon: Increase in Exploited Vulnerabilities for Initial Access

Verizon’s 2025 Data Breach Investigations Report (DBIR), released in April, reported a 34% increase in exploited vulnerabilities (CVEs) as a root cause of cyberbreaches occurring in between October 2023 and December 2024. Exploited vulnerabilities served as the initial access vector in 20% data breaches studied. While the report indicates that ransom payments are down – 64% of victim organizations did not pay the ransoms, compared to 50% two years ago – the rate of ransomware attacks increased by 37%.

Edge devices and VPNs accounted for 22% of exploitation actions – a sharp rise from just 3% the year before. Despite the growing threat, organizations fully remediated only about 54% of these vulnerabilities, with a median time to remediation of 32 days. Furthermore, edge exploitation for initial access reached 70% in espionage-motivated breaches. This trend of edge device exploitation shows no signs of abating; proactive vulnerability management is more critical than ever to reduce exposure and limit the impact of breaches.

Newly Emerging Threats on the Edge in April 2025

The message from cyber landscape reports is clear: organizations need to be acutely aware of their publicly exposed assets. Detection and remediation of vulnerabilities is critical. Below are the highlights of emerging threat activity affecting network edge devices in April 2025. Greenbone is able to detect all emerging threats referenced below and more.

• SonicWall SMA100 Appliances: CVE-2023-44221 (CVSS 7.2) and CVE-2021-20035 (CVSS 6.5), both OS Command Injection Vulnerabilities [CWE-78] were added to CISA KEV (Cybersecurity and Infrastructure Security Agency; Known Exploited Vulnerabilities). In April, SonicWall also reported that Proof-of-Concept (PoC) exploits are now publicly available for another vulnerability: CVE-2024-53704 (CVSS 9.8).
• Ivanti Connect Secure, Policy Secure, and ZTA Gateways: CVE-2025-22457 (CVSS 9.8) is a Stack-Based Buffer Overflow [CWE-121] vulnerability now being actively exploited. Google’s Mandiant threat research group attributed attacks to UNC5221, a Chinese (state sponsored) threat actor. Security firm GreyNoise also observed a 9X increase in bots scanning for exposed Connect Secure endpoints.
• Fortinet FortiOS and FortiProxy: CVE-2025-24472 (CVSS 9.8) is an Authentication Bypass [CWE-288] flaw that could allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests. The CVE is considered actively exploited. Fortinet also detailed new exploitation activity against older critical vulnerabilities in FortiGate devices, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 (all CVSS 9.8).
• Juniper Junos OS: CVE-2025-21590 (CVSS 6.7) is an actively exploited flaw that allows a local attacker with high privileges to compromise the integrity of the device. Classified as an Improper Isolation or Compartmentalization [CWE-653] weakness, a local attacker with access to the Juniper CLI shell can inject arbitrary code to compromise an affected device.
• Multiple Cisco Flaws Exploited: Analysts confirmed targeted attacks against unpatched Cisco infrastructure, especially in telecom environments [1][2]. Chinese state-sponsored group Salt Typhoon continues to exploit CVE-2018-0171 (CVSS 9.8) in Smart Install RCE and CVE-2023-20198 (CVSS 10) in Web UI Privilege Escalation.
• DrayTek Routers: Three CVEs have been observed in exploitation campaigns, including CVE-2020-8515 (CVSS 9.8), CVE-2021-20123 (CVSS 7.5) and CVE-2021-20124 (CVSS 7.5).
• Microsoft Remote Desktop Gateway Service: CVE-2025-27480 is a Use After Free [CWE-416] flaw that allows an unauthorized attacker to execute code over a network. While active threats have not been observed yet, Microsoft tracks the vulnerability with an “Exploitation More Likely” status.
• Erlang/OTP SSH has Public PoC Exploit: Multiple PoC exploits [1][2][3] are now publicly available for CVE-2025-32433 (CVSS 10), a new maximum-severity vulnerability in the Erlang/OTP SSH server. Erlang/OTP is a widely used platform for building scalable and fault-tolerant distributed systems and is in use by large technology companies such as Ericsson, Cisco, Broadcom, EMQ Technologies and Apache Software Foundation, among others.
• Broadcom Brocade Fabric OS (FOS): CVE-2025-1976 (CVSS 6.7) is a Code Injection Vulnerability [CWE-94] both disclosed and actively exploited in April. FOS is a specialized firmware designed for managing Fibre Channel switches within Storage Area Networks (SANs). The flaw allows a local user with administrative privileges to execute arbitrary code with full root privileges.

New Windows Common Log File System Flaw Used in Ransomware Attacks

A new high severity vulnerability, CVE-2025-29824 (CVSS 7.8) identified in the Microsoft Windows Common Log File System (CLFS) driver allows privilege escalation for local authenticated attackers to gain SYSTEM level access. Furthermore, the vulnerability is being exploited globally in ransomware attacks [1][2], particularly by Storm-2460, to deploy PipeMagic malware payloads.

The Windows CLFS driver has a series of critical privilege escalation vulnerabilities that span multiple years and versions making it a persistent high-value target for attackers. Eight CVEs from 2019 through 2025 have been cataloged in the CISA KEV list with at least four – CVE-2023-28252, CVE-2023-23376, CVE-2022-24521 and CVE-2025-29824 mentioned above – known to be leveraged in ransomware campaigns.

Due to active exploitation of critical vulnerabilities in Microsoft products, it’s essential for organizations to verify that the latest Microsoft security updates have been applied across their IT infrastructure and monitor systems for Indicators of Compromise (IoC). Greenbone can detect vulnerability to all CLFS CVEs mentioned above and missing patch-levels for Microsoft Windows 10 (32-bit & x64), Windows 11 (x64) and Windows Server 2012–2025 endpoints via authenticated Local Security Checks (LSC).

Remote Code Execution Flaw Impacts Craft CMS

CVE-2025-32432 (CVSS 10) is a high impact Remote Code Execution (RCE) vulnerability in Craft CMS (Content Management System) that is considered trivial to exploit. Craft CMS is a website creation framework built on top of the Yii PHP framework. The CVE was reported by Orange Cyberdefense’s CSIRT who discovered it during an incident response. The flaw has been exploited in the wild. Also, technical details and PoC exploits [1][2] including a Metasploit module are publicly available, greatly increasing the threat. Craft CMS is used by prominent organizations including The New York Times, Amazon, Intel, Tesla, NBC, Bloomberg and JPMorgan Chase for creating custom e-commerce and content-driven websites.

Greenbone is able to detect web applications vulnerable to CVE-2025-32432 with an active check that sends a specially crafted POST request and analyzes the response. Craft CMS versions 3.x through 3.9.14, 4.x through 4.14.14, and 5.x through 5.6.16 are affected and users should upgrade to a patched version as soon as possible. If upgrade is not possible the vendor proposes implementing firewall rules to block POST requests to the `actions/assets/generate-transform` endpoint or installing the Craft CMS Security Patches library.

Dualing CVEs in CrushFTP Leveraged by Ransomware

CVE-2025-31161 (CVSS 9.8) poses a severe threat to CrushFTP users. The flaw is an authentication bypass vulnerability [CWE-287] in the HTTP Authorization header that allows remote unauthenticated attackers to authenticate as any existing user account (e.g., crushadmin). The flaw is being leveraged by the Kill threat actor among others in ongoing ransomware attacks.

CVE-2025-31161 affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vendor has released an advisory with updated instructions. Greenbone is able to detect CVE-2025-31161 with both an active check, and a version detection test.

Initially, this vulnerability was tracked with another identifier (CVE-2025-2825). When a third party CNA published it before, CrushFTP had the opportunity to assess the details. The premature disclosure forced CrushFTP to respond publicly before they had developed a patch. This incident highlights a significant risk: because CrushFTP was not a CVE Numbering Authority (CNA), it lacked the authority to assign CVE identifiers to its own products. Instead CrushFTP needed to rely on the third-party researchers who discovered the flaw to manage CVE disclosure.

In the CVE Program, a CNA can define its scope such that it may assign CVE IDs to vulnerabilities affecting its own products and restrict other parties from doing so. If an application’s vendor is a registered CNA, third-party security researchers must disclose their findings to the vendor directly, allowing more control over the timeline of events and a more strategic disclosure. Considering the risks, software vendors should consider becoming a registered CNA with MITRE’s CVE program.

Summary

April 2025 highlighted ongoing threats from edge device vulnerabilities, ransomware activity and newly exploited flaws in widely used software like Craft CMS, Microsoft CLFS and CrushFTP. These developments reinforce the need for organizations to maintain visibility over exposed assets, apply timely patches and stay vigilant against emerging threats that can escalate quickly from initial access to full compromise.