🚨 New Exploits Targeting Sitecore Experience Platform (XP)
Another wake-up call: Monitoring disclosed CVEs isn't enough anymore.

🔍 Last week, WatchTowr Labs dropped a detailed analysis of a pre-auth RCE chain in Sitecore XP – and it didn’t take long for attackers to move.

Within hours, CrowdSec’s network detected active exploitation in the wild.

⚠️ Key findings:
🔹 The Vulnerability-to-Exploit Window Is Critical: Attacks now outpace CVE assignments, leaving organizations exposed during the disclosure gap. This was demonstrated when, within hours of WatchTowr’s public analysis, CrowdSec’s threat network detected three distinct IPs actively scanning and exploiting vulnerable Sitecore XP instances.
🔹 Official CVE Designation a Few Hours After WatchTowr’s Article: The flaw is now formally tracked as CVE-2025-34509, CVE-2025-34510, and CVE-2025-34511 (listed on NVD).

🛠️ About the exploit:
The vulnerability chain enables unauthenticated remote code execution (RCE) through Sitecore’s publishing service, allowing attackers to compromise the entire CMS without requiring credentials. Successful exploitation could lead to data theft, malware deployment, or lateral movement within affected systems.

📈 Trend analysis:
🗓️ June 17: WatchTowr publishes the article.
⏱️ Hours later: CrowdSec’s decentralized threat network detected exploitation attempts from 104.248.137.152.
📍 Following days:
Two more IPs (130.33.178.14, 217.156.122.239) launched aggressive scans, with 130.33.178.14 alone responsible for 50+ attacks over the weekend.

🛡️ How to protect your systems:
🔹 Investigate: If your organization uses Sitecore XP, check your logs for these IPs: 130.33.178.14, 217.156.122.239, 104.248.137.152.
🔹 Patch: Do the necessary to patch your Sitecore XP CMS system.
🔹 Stay proactive: Gain additional protection by installing the Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available: https://doc.crowdsec.net/docs/next/appsec/intro

📣 Real-time threat intelligence is not optional. Let’s stay ahead of these threats together 👉 http://crowdsec.net

#CyberSecurity #Infosec #ThreatIntel #RCE #Sitecore #CrowdSec #CVE

💭 What if 50% of the malicious IPs you block aren’t even on the radar of 89 out of 92 top threat intel vendors?

That’s exactly what #CrowdSec delivers.

🛡️ Powered by a global community analyzing live attacks, 50% of our malicious IPs are unique. Get visibility others don’t have.

👉 https://crowdsec.net/blocklists

#cybersecurity #blocklists #cyberthreatintelligence

16% of proven-aggressive IPs CrowdSec blocks are still unknown to other vendors for 15 to 20 days. 👀

🗓️ That’s over two weeks where you’re protected while others remain exposed.

How do we do it?
#CrowdSec leverages a #collaborative network of thousands of contributors worldwide, enabling us to detect and block malicious behavior before it becomes common knowledge.

Learn more 👉 https://crowdsec.net/blocklists

#cybersecurity #blocklists #cyberthreatintelligence

🚨 Surge in Attacks Leveraging CNVD Exploits: A Warning Sign for Global Defenders

On the 15th of May, the CrowdSec Network recorded a sharp uptick in exploitation attempts targeting three exploits that are tracked exclusively in the Chinese National Vulnerability Database (CNVD):
♦️ CNVD-2019-19299
♦️ CNVD-2022-42853
♦️ CNVD-2021-30167

ℹ️ Key findings:

While the #CrowdSec Network’s visibility beyond the Great #Firewall is constrained, we can still observe the campaign and what else these attackers are looking for.

🔹 The spike, visible in the chart, reveals coordinated scanning behavior that likely signals a broader exploitation campaign currently in motion.
🔹 Here’s the Twist: The same attacker clusters are also seen deploying vulnerabilities commonly cataloged in the NVD, targeting global software.
🔹 This mix of CNVD and CVE-based tactics suggests one thing: Attackers aren’t limiting themselves by geography, so why should defenders?
🔹 As software supply chains become increasingly globalized, relying exclusively on U.S.-centric vulnerability databases such as the NVD creates dangerous blind spots. Threat actors clearly understand this, and they are actively exploiting those gaps.

🔎 Trend analysis:

🔹 May 15th: CrowdSec detects a surge in scans exploiting CNVD-2019-19299, CNVD-2022-42853, and CNVD-2021-30167. Most targeted software is used in mainland China, but activity comes from global IP ranges.
🔹 Ongoing: Attacker infrastructure also launches probes for high-profile CVEs in Apache, Atlassian, and Jenkins, showing no regional constraint in their tooling.
🔹 Common TTPs: Remote code execution (RCE), abuse of default credentials, and mass scanning via compromised VPS infrastructure.

✅ How to protect your systems:

Thanks to CrowdSec’s global network of decentralized agents, this trend was caught early. CrowdSec users are already benefiting from real-time protection via up-to-date blocklists and mitigation rules. Want to stay protected against CNVD and CVE threats alike?

🔹 Investigate: Check your software supply chain and note any pieces that might have their exploits tracked outside the NVD system, for example, you can take a closer look at the EUVD recently launched by @enisa_eu
🔹 Preemptive blocking: Deploy the CrowdSec WAF for automated mitigation with 100+ virtual patches and geo-aware rules: https://youtube.com/watch?v=LyNfr4QWiqw

🎉 Join us for the CrowdSec June Community Office Hours!

🔎 This month’s focus: The CrowdSec WAF
📅 June 26th at 6 PM CEST

Come chat about CrowdSec, learn about the latest updates, or just hang out with the community. Everyone’s welcome!

📌 Register: https://app.livestorm.co/crowdsec/crowdsec-community-office-hours-june-session

#webinar #community #WAF #cybersecurity

Get 7 to 60 days ahead of #attacks. ⚡

⏳ When malicious IPs hit the internet, every second counts. 

#CrowdSec gives you the upper hand by identifying and blocking malicious IPs days to even weeks before any other vendor on the market. 

How? Our real-time #collaborative network of thousands of contributors feeds into our blocklists, resulting in early, accurate, and actionable #IP intelligence.

Learn more 👉 https://www.crowdsec.net/blocklists

🚨 SAP NetWeaver: Details on a Common Weaponization Timeline

As mentioned in the May CrowdSec VulnTracking report, #SAPNetWeaver (CVE-2025-31324) was a very interesting case study that highlighted the fact that mainstream malicious actors and legitimate security scanners depend on the same PoCs/write-ups to act. Let’s dive into the timeline and key findings.

🔑 Key findings
🔹 Early reports suggest that a select group of highly skilled attackers weaponized the vulnerability before its public disclosure, but mass exploitation began immediately after the exploit details surfaced.
🔹 Common scanning companies were flagged looking for this vulnerability. The first to take action by order of appearance were cert.pl, hadrian.io, and stretchoid, the latter one being still active today and accountable for most of the volume

ℹ️ About the exploit
A critical zero-day vulnerability (CVSS 10.0) was identified in SAP NetWeaver's Visual Composer component. This flaw allows unauthenticated attackers to upload arbitrary files via the /developmentserver/metadatauploader endpoint, leading to remote code execution with high privileges.

🔎 Trend analysis
🔹 First Publish Date (April 24, 2025): Vulnerability disclosed; no public exploits available.
🔹 CrowdSec Network Monitoring Begins (April 26, 2025): No public exploits exist yet, but we deployed a detection rule. Early probes came from advanced actors, 37% used new, disposable infrastructure, while 63% linked to known threats. Alert volume remains very low.
🔹 First Public Exploit (April 29, 2025): Scanning activity skyrockets, nearly 50x the original volume, as public exploits emerge. Both botnets and internet-wide scanners (“the usual suspects” and industry surface management providers) started intensive scanning. At this time, benign actors account for over 50% of scanning activity.
🔹 Following weeks: Slowly, malicious actors decrease in volume of exploitation as they move to other vulnerabilities. Only benign actors remain and account for 90% of the traffic volume.

✅ How to protect your systems
🔹 Patch: Apply SAP Security Note immediately.
🔹 Preemptive blocking: Stay protected in real-time with top-tier blocklists that you can plug in minutes into the most popular security solutions, such as Fortinet.
Sharing insights and taking swift action can collectively reduce the impact of these threats. This is your call to action for real-time threat intelligence and collaborative cybersecurity: https://www.crowdsec.net/integrations

For more information, visit crowdsec.net

Want to stay ahead of the latest cyber threats? Get our weekly Threat Alert Newsletter delivered straight to your inbox, along with critical threat updates and trending cybersecurity insights.

📩 Sign up now for exclusive access: https://contact.crowdsec.net/threat-alert

🔎 In May’s VulnTracking report, we take a deep dive into SAP NetWeaver (CVE-2025-31324).

What we discovered: When public exploits were released, bad actors (such as botnets) and legitimate security scanners surged simultaneously, proving both sides depend on the same PoCs/write-ups to act.

Currently, CrowdSec identifies more than 1,400 IPs exploiting this vulnerability. Read the report for the full analysis 👉 https://www.crowdsec.net/vulntracking-report/vulntracking-report-may-2025

🚨 CVE-2025-3248: Renewed Interest in Langflow Remote Code Execution

ℹ️ About the exploit:
#Langflow is a widely used #opensource library for building AI agents, backed by corporate support from #Datastax (now #IBM). The tool provides a web-based, drag-and-drop interface for creating agentic workflows, making it particularly attractive to businesses, but also a high-value target for exploits. Given that such workflows often integrate with critical business databases and tools, security vulnerabilities in Langflow could have severe consequences.

This risk is not hypothetical. Langchain, another leading AI framework, has already been associated with over 30 CVEs, underscoring the security challenges in the fast-moving LLM development ecosystem.

The vulnerability in Langflow allowed unauthenticated attackers to execute arbitrary code on the host machine. Discovered and disclosed by Horizon3 in late February, the issue was patched in version 1.3, released at the end of March. Below is a detailed timeline of the discovery and remediation process.

🔎 Trend analysis:
🔹 Feb 25, 2025: The vulnerability is disclosed to DataStax by Horizon3.
🔹 Mar 5, 2025: DataStax fixes the vulnerability in the development branch.
🔹 Mar 31, 2025: Langflow 1.3.0 releases, containing a fix for CVE-2025-3248.
🔹 April 7, 2025: CVE-2025-3248 is published to the NVD.
🔹 April 9, 2025: The exploit is leaked to the public, and the CrowdSec Network starts tracking the exploit.
🔹 April 11-12, 2025: The CrowdSec Network observes a first wave of exploitation attempts by approximately 200 machines.
🔹 April 12 - May 14, 2025: Attackers disappear, with barely any attacks registered in the CrowdSec Network.
🔹 May 14 - 23, 2025: The CrowdSec Network observes a renewed, smaller wave of attacks, peaking out at around 100 involved machines.

✅ How to protect your systems:
🔹Patch: If you haven’t already, ensure your publicly exposed Langflow instance is updated with the latest patch.
🔹Preemptive blocking: Use Crowdsec CTI to block IPs exploiting CVE-2025-3248 👉 https://app.crowdsec.net/cti?q=cves%3ACVE-2025-3248
🔹Stay proactive: Install the Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available 👉 https://app.crowdsec.net/cti?q=cves%3ACVE-2025-3248

Sharing insights and taking swift action can collectively reduce the impact of these threats. This is your call to action for real-time threat intelligence and #collaborative #cybersecurity 👉 http://crowdsec.net/

🎦 Join us for a webinar next week on @suricata and CrowdSec!

CrowdSec Ambassador @flaviuvlaicu will walk you through the steps of integrating Suricata with CrowdSec with Pushover notifications for robust, real-time threat detection and automated response.

Register now: https://app.livestorm.co/crowdsec/proactive-defense-crowdsec-suricata

#Suricata #cybersecurity #infosec #threatdetection