After conducting a detailed analysis in February, we've compiled a list of vulnerabilities that are currently classified as trending. These represent the most dangerous security flaws, either currently being widely exploited by cybercriminals or likely to be exploited in the near future. We strongly recommend verifying whether your organization has addressed these vulnerabilities, as well as those highlighted in our previous digests.

• It's also important to address vulnerabilities that have not been mentioned in our digests, as their exploitation could cause irreparable damage to an organization.

Two high-severity vulnerabilities have been identified in Microsoft products (CVE-2025-21418 and CVE-2025-21391). The first vulnerability enables privilege escalation to SYSTEM level through a heap buffer overflow. The second allows attackers to delete target files in the system by exploiting improper handling of symbolic links and shortcuts during file operations.

The critical vulnerability CVE-2025-0108 in PAN-OS, a Palo Alto Networks product, allows attackers to bypass authentication in the web management interface through specially crafted requests. When combined with CVE-2024-9474 and CVE-2025-0111, this vulnerability could enable attackers to execute arbitrary code with root privileges, as well as extract configuration files and other sensitive information.

A critical vulnerability in the CommuniGate Pro mail server (BDU:2025-01331) could lead to arbitrary code execution through a stack buffer overflow.

Read below to learn about these vulnerabilities, how they are exploited, and mitigation strategies in this digest.

According to The Verge, the following vulnerabilities can affect approximately one billion devices. Any users with outdated versions of Windows are potentially at risk.

CVE-2025-21418 (CVSS score: 7.8; high severity)

A vulnerability identified in the Windows AFD.sys driver is related to a heap buffer overflow. AFD.sys is a core Windows system driver and a critical component in the network interaction process. It provides Winsock API low-level functionality, enabling applications to interact with network sockets.

To exploit this vulnerability, an attacker must run a specially crafted program, ultimately allowing arbitrary code execution with SYSTEM privileges—the highest level in Windows. If successful, the attacker could gain full control of the vulnerable system. This would the attacker to install malicious software, steal sensitive data, or use the compromised system as a launch point for further attacks within the network.

The exploitation vector for this vulnerability is local, meaning the attacker requires physical or remote access to the victim's device. No user interaction is required.

Notably, researchers from Rapid7 point out that this vulnerability shares similarities with last year's CVE-2024-38193, which was widely exploited by the Lazarus APT group.

Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

Publicly available exploits: unavailable in open sources.

CVE-2025-21391 (CVSS score: 7.1; high severity)

This vulnerability was identified in Windows Storage, a feature of Windows operating systems that manages how data is stored on a computer. The vulnerability is related to improper handling of symbolic links¹ and shortcuts during file operations (CWE-59). According to experts from Action1, local attackers can exploit this vulnerability by creating malicious symbolic links that redirect file operations to system files or user data. This could result in unauthorized data deletion, potentially affecting critical files. Such incidents may lead to data loss and even disruptions in the operation of services. Zero Day Initiative reports that arbitrary file deletion could lead to privilege escalation, ultimately allowing an attacker to gain full control over the affected system.

Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

Publicly available exploits: unavailable in open sources.

Mitigation: install the security updates available on the official Microsoft pages: CVE-2025-21418 and CVE-2025-21391

Authentication bypass vulnerability in PAN-OS web interface

CVE-2025-0108 (CVSS score: 8.8; high severity)

The vulnerability is related to an authentication flaw in the web management interface of PAN-OS², caused by discrepancies in request handling between the nginx and Apache web servers. An attacker can craft a special request that exploits this improper behavior, bypass the authentication process, and run specific PHP scripts. While this does not enable remote execution of arbitrary code, the attacker can gain unauthorized access to critical system functions, increasing the risk of further escalation of the attack.

Detailed research on the vulnerability is available in the Assetnote blog.

Signs of exploitation: between February 2 and February 13, GreyNoise detected 25 malicious IP addresses exploiting this vulnerability. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog. Palo Alto Networks reported signs of exploitation of CVE-2025-0108 in conjunction with CVE-2024-9474 and CVE-2025-0111. The CVE-2024-9474 vulnerability, which we covered in our November digest, is related to privilege escalation in PAN-OS. The CVE-2025-0111 vulnerability discovered in February allows an authenticated attacker with access to network resources to read files accessible to the nobody user. By combining CVE-2025-0108 and CVE-2024-9474, the attacker can execute arbitrary commands on the device with root privileges. According to Bleeping Computer, a chain of these three vulnerabilities can be used to extract configuration files and other sensitive information from the system.

Publicly available exploits: a PoC has been published and is openly accessible.

Number of potential victims: over 2,000 servers are vulnerable to attacks that exploit the combination of CVE-2025-0108, CVE-2024-9474, and CVE-2025-0111.

Mitigation: install updates on vulnerable devices and follow the vendor's recommendations.

Remote code execution vulnerability in CommuniGate Pro

BDU:2025-01331 (CVSS score: 9.8; critical severity)

This vulnerability in the CommuniGate Pro mail server is related to a stack-based buffer overflow. Exploiting this flaw does not require authentication, making it particularly dangerous for a mail server, as it is often exposed to the internet. Successful exploitation allows attackers to execute arbitrary code, potentially resulting in unauthorized access, data theft, or even full system compromise.

Signs of exploitation: according to CyberOK, there is evidence that the vulnerability is being exploited. Solar 4RAYS reports that in October 2024, a series of attacks were investigated involving one or more previously unknown vulnerabilities in CommuniGate Pro. These attacks aimed at compromising email communications within organizations. It is unclear whether the vulnerability BDU:2025-01331 was involved.

Publicly available exploits: unavailable in open sources.

Number of potential victims: according to some reports, over 2,000 mail servers running CommuniGate are accessible in Russia. CyberOK states that 40% of all monitored mail servers are vulnerable to this vulnerability.

Mitigation: install updates on vulnerable devices and follow the vendor's recommendations.

Using popular solutions containing trending vulnerabilities can jeopardize any company. These security flaws are the most dangerous and require immediate remediation. In the MaxPatrol VM vulnerability management system, information about trending vulnerabilities is received within 12 hours of their detection to help eliminate the most dangerous threats quickly and protect company infrastructure. It's also important to address other vulnerabilities that could pose significant risks to organizations.