Redazione RHC : 30 August 2025 09:37
According to a Kaspersky Lab report, the use of vulnerabilities increased significantly in the second quarter of 2025: almost every subsystem of modern computers was attacked, from UEFI to browser drivers, operating systems, and applications.
As before, attackers continue to exploit these vulnerabilities in real-world attacks to gain access to users’ devices and actively combine them with C2 frameworks in complex targeted operations. An analysis of CVE statistics over the past five years shows a steady increase in the total number of registered vulnerabilities. While there were around 2,600 at the beginning of 2024, this figure exceeded 4,000 by January 2025.
The only exception was May, otherwise the momentum continued to gain momentum. At the same time, some CVEs may be registered with identifiers from previous years, but only published in 2025. What is particularly alarming is that the number of critical vulnerabilities with a CVSS score above 8.9 also increased significantly in the first half of 2025. Although not all vulnerabilities are assessed on this scale, a positive trend is observed: critical bugs are more often accompanied by detailed descriptions and become the subject of public analysis, which can contribute to faster risk mitigation.
The most exploited vulnerabilities in Windows in the second quarter were once again old Microsoft Office vulnerabilities: CVE-2018-0802, CVE-2017-11882, and CVE-2017-0199, which affect the Equation Editor component.
The following exploits were found for WinRAR (CVE-2023-38831), a vulnerability in Windows Explorer (CVE-2025-24071), which allows the theft of NetNTLM hashes, and a bug in the ks.sys driver (CVE-2024-35250), which allows an attacker to execute arbitrary code.All of these vulnerabilities are used for both primary access and privilege escalation.
For Linux, the most common exploits were Dirty Pipe (CVE-2022-0847), CVE-2019-13272, which involves inherited privileges, and CVE-2021-22555 , a heap vulnerability in the Netfilter subsystem that uses the Use-After-Free technique through manipulations with msg_msg. This confirms the continued growth of attacker interest in Linux systems, mainly due to the expansion of the user base.
Operating system exploits continue to dominate public sources, while no new publications on Microsoft Office vulnerabilities appeared this quarter. As for targeted attacks, APT operations have often exploited vulnerabilities in remote access tools, document editors, and logging subsystems. Low-code/no-code tools and even frameworks for artificial intelligence applications are at the forefront, which indicates attackers’ growing interest in modern development tools. Interestingly, the detected bugs did not concern the generated code, but the infrastructure software itself.
According to Kaspersky, the C2 frameworks in the first half of 2025, Sliver, Metasploit, Havoc, and Brute Ratel C4, were the leaders and directly support exploits and offer attackers ample opportunities for persistence, remote control, and further automation. The remaining tools were typically manually adapted for specific attacks.
Based on analysis of exploit samples and C2 agents, the following key vulnerabilities used in APT operations have been identified: CVE-2025-31324 in SAP NetWeaver Visual Composer Meta Data Uploader (remote code execution, CVSS 10.0), CVE-2024-1709 in ConnectWise ScreenConnect (authentication bypass, CVSS 10.0), CVE-2024-31839 and CVE-2024-30850 in CHAOS v5.0.1 (XSS and RCE), and CVE-2025-33053 in Windows, which allows arbitrary code execution via incorrect processing of shortcut paths.
These exploits allowed both the immediate introduction of malicious code and a gradual approach, starting with credential harvesting.
Recently published vulnerabilities also deserve special attention. CVE-2025-32433 is an RCE bug in the Erlang/OTP framework’s SSH server, allowing remote command execution without verification, even by unauthorized users. CVE-2025-6218 is another directory traversal vulnerability in WinRAR, similar to CVE-2023-38831: it allows modifying the archive decompression path and executing code on operating system or application startup.
CVE-2025-3052 in UEFI allows Secure Boot bypassing via insecure handling of NVRAM variables. CVE-2025-49113 in Roundcube Webmail is a classic insecure deserialization issue and requires authorized access. Finally, CVE-2025-1533 in the AsIO3.sys driver causes a system crash when working with paths longer than 256 characters: the developers failed to consider that the modern NTFS limit is 32,767 characters.
The conclusion is clear: the number of vulnerabilities continues to grow, especially the critical ones.
Therefore, it is important not only to timely install updates, but also to monitor compromised systems for the presence of C2 agents, pay attention to endpoint protection, and establish a flexible patch management policy.
This is the only way to effectively reduce exploit risks and ensure infrastructure stability.
Redazione