{"vulnerability": "CVE-2025-20212", "sightings": [{"uuid": "002ee9f1-cfd2-48e9-b201-89e390c33dcf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3llu3i4oqlk2f", "content": "", "creation_timestamp": "2025-04-02T19:07:14.387820Z"}, {"uuid": "3192c1e6-becd-49b3-be4f-b85bdfab1e23", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://infosec.exchange/users/jbhall56/statuses/114274076903927800", "content": "", "creation_timestamp": "2025-04-03T12:40:35.220115Z"}, {"uuid": "be7db0f4-aa56-4e92-bd6e-d4c7d7f20bd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://infosec.exchange/users/jbhall56/statuses/114274076903927800", "content": "", "creation_timestamp": "2025-04-03T12:40:35.218657Z"}, {"uuid": "1489cd93-ba5c-4653-a3cd-a74505b57400", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://bsky.app/profile/jbhall56.bsky.social/post/3llvwdz6qpk2q", "content": "", "creation_timestamp": "2025-04-03T12:40:44.252039Z"}, {"uuid": "1b477b6f-b4d7-4e27-812d-9572e8843cb9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3lluwu24s3s2a", "content": "", "creation_timestamp": "2025-04-03T03:17:02.708487Z"}, {"uuid": "d39212a5-f4ed-417f-9341-b51a57bb667b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/10123", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-20212\n\ud83d\udd25 CVSS Score: 7.7 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)\n\ud83d\udd39 Description: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must have valid VPN user credentials on the affected device.\n This vulnerability exists because a variable is not initialized when an SSL VPN session is established. An attacker could exploit this vulnerability by supplying crafted attributes while establishing an SSL VPN session with an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN sessions and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established.\n Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers without manual intervention.\n\ud83d\udccf Published: 2025-04-02T16:15:40.815Z\n\ud83d\udccf Modified: 2025-04-02T16:15:40.815Z\n\ud83d\udd17 References:\n1. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vNRpDvfb", "creation_timestamp": "2025-04-02T16:34:58.000000Z"}, {"uuid": "4fa25893-7982-408e-9da4-b160419a4483", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3lm47knafpc2x", "content": "", "creation_timestamp": "2025-04-06T00:41:30.717375Z"}, {"uuid": "321b3dfb-7ce2-441e-8428-f06861e69085", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3lm4av5xudc2x", "content": "", "creation_timestamp": "2025-04-06T01:05:20.010462Z"}, {"uuid": "6389a365-ddfc-4c2d-82c1-b3631eab9d4b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "seen", "source": "https://t.me/cvedetector/21899", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-20212 - Cisco AnyConnect VPN Denial of Service Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-20212 \nPublished : April 2, 2025, 5:15 p.m. | 1\u00a0hour, 15\u00a0minutes ago \nDescription : A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must have valid VPN user credentials on the affected device.  \n  \n This vulnerability exists because a variable is not initialized when an SSL VPN session is established. An attacker could exploit this vulnerability by supplying crafted attributes while establishing an SSL VPN session with an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN sessions and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established.  \n  \n Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers without manual intervention. \nSeverity: 7.7 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"02 Apr 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-04-02T20:50:34.000000Z"}, {"uuid": "1053b960-1a8b-4b2e-b45b-f1f358458e4d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "published-proof-of-concept", "source": "https://t.me/CyberBulletin/10687", "content": "The Hidden Dangers of VPNs: Critical Vulnerabilities Exposed (Late 2024 \u2013 Early 2025)\n\nVirtual Private Networks (VPNs) have long been considered an essential tool for securing online activity. However, a closer examination reveals an unsettling reality: VPNs themselves are increasingly becoming high-value targets for attackers. Over the past several months, a wave of critical vulnerabilities has shaken trust in these technologies, impacting both consumers and enterprises alike.\n\nIn this report, we highlight the most significant VPN vulnerabilities discovered from late 2024 into early 2025 \u2014 and why blind reliance on VPNs may no longer be a safe bet.\n\n\n---\n\nCVE-2025-22457: Critical Buffer Overflow in Ivanti Connect Secure and Pulse Connect Secure\n\nIn April 2025, researchers uncovered CVE-2025-22457, a critical unauthenticated stack-based buffer overflow vulnerability affecting Ivanti Connect Secure (ICS) and Pulse Connect Secure VPN appliances. Impacted versions include ICS 22.7R2.5 and earlier, as well as Pulse Connect Secure 9.1x, which reached end-of-support in December 2024.\n\nInitially, Ivanti assessed the issue as non-exploitable due to character restrictions (periods and numbers only) within the overflow. However, a suspected Chinese advanced persistent threat (APT) group, dubbed UNC5221, demonstrated that \u2014 through intricate exploitation techniques \u2014 remote code execution was indeed achievable.\n\nExploitation Details:\n\nProof-of-concept (PoC) exploits are already available publicly, such as the sfewer-r7 implementation on GitHub. Attackers can leverage these to gain a reverse shell with limited user privileges (\"nr\"), circumventing initial vendor assumptions about exploitability.\n\nA netcat listener captures the shell.\n\nThe exploit brute-forces address space layout randomization (ASLR) protections by guessing base addresses for libdsplibs.so.\n\nSuccessful exploitation results in unauthorized access to the underlying system.\n\n\nExposure:\nAs of April 2025, Shodan scans indicated over 4,000 vulnerable instances exposed online.\n\n\n---\n\nCVE-2024-53704: Authentication Bypass in SonicWall SSL VPN\n\nAnother significant threat emerged with CVE-2024-53704, a critical authentication bypass vulnerability impacting SonicWall\u2019s SSL VPN solutions based on SonicOS versions 7.1.x (through 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035.\n\nDiscovered by Computest Security in November 2024 and patched in January 2025, this flaw allows attackers to hijack active VPN sessions by manipulating Base64-encoded session cookies \u2014 bypassing even multi-factor authentication (MFA) mechanisms.\n\nAttack Technique:\n\nBy inserting 32 null bytes encoded in Base64 into the swap cookie of a GET request, adversaries can effectively impersonate legitimate users without valid credentials.\n\nDespite available patches, thousands of systems remained unpatched into early 2025. According to Bishop Fox, more than 4,500 SonicWall VPN instances were still exposed as of February 2025.\n\n\n---\n\nCVE-2025-0282 and CVE-2025-0283: Stack-Based Buffer Overflows in Ivanti Products\n\nIn January 2025, Ivanti disclosed two additional vulnerabilities:\n\nCVE-2025-0282 (CVSS 9.0): Unauthenticated stack-based buffer overflow enabling remote code execution.\n\nCVE-2025-0283 (CVSS 7.0): Local privilege escalation via stack-based buffer overflow.\n\n\nAffected products included Ivanti Connect Secure, Policy Secure, and Neurons for Zero Trust Access (ZTA) gateways.\n\nExploitation Insights:\n\nPublic exploits, such as the one by sfewer-r7, target specific product versions with tailored ROP (Return-Oriented Programming) chains.\n\nSuccessful exploitation allows execution of operating system commands under non-root privileges, confirming breach activity.\n\n\nNotably, the exploit requires multiple attempts due to ASLR protections but ultimately grants unauthorized access if persistence is maintained.\n\n\n---\n\nCVE-2025-20212: Cisco Meraki AnyConnect VPN Denial-of-Service Vulnerability\n\nCisco disclosed CVE-2025-20212, a high-severity DoS vulnerability affecting AnyConnect VPN servers on Meraki MX and Z series devices.", "creation_timestamp": "2025-04-27T03:42:30.000000Z"}, {"uuid": "ce546987-60c8-4d37-be23-15cd91cdd577", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-20212", "type": "published-proof-of-concept", "source": "https://t.me/CyberBulletin/3124", "content": "The Hidden Dangers of VPNs: Critical Vulnerabilities Exposed (Late 2024 \u2013 Early 2025)\n\nVirtual Private Networks (VPNs) have long been considered an essential tool for securing online activity. However, a closer examination reveals an unsettling reality: VPNs themselves are increasingly becoming high-value targets for attackers. Over the past several months, a wave of critical vulnerabilities has shaken trust in these technologies, impacting both consumers and enterprises alike.\n\nIn this report, we highlight the most significant VPN vulnerabilities discovered from late 2024 into early 2025 \u2014 and why blind reliance on VPNs may no longer be a safe bet.\n\n\n---\n\nCVE-2025-22457: Critical Buffer Overflow in Ivanti Connect Secure and Pulse Connect Secure\n\nIn April 2025, researchers uncovered CVE-2025-22457, a critical unauthenticated stack-based buffer overflow vulnerability affecting Ivanti Connect Secure (ICS) and Pulse Connect Secure VPN appliances. Impacted versions include ICS 22.7R2.5 and earlier, as well as Pulse Connect Secure 9.1x, which reached end-of-support in December 2024.\n\nInitially, Ivanti assessed the issue as non-exploitable due to character restrictions (periods and numbers only) within the overflow. However, a suspected Chinese advanced persistent threat (APT) group, dubbed UNC5221, demonstrated that \u2014 through intricate exploitation techniques \u2014 remote code execution was indeed achievable.\n\nExploitation Details:\n\nProof-of-concept (PoC) exploits are already available publicly, such as the sfewer-r7 implementation on GitHub. Attackers can leverage these to gain a reverse shell with limited user privileges (\"nr\"), circumventing initial vendor assumptions about exploitability.\n\nA netcat listener captures the shell.\n\nThe exploit brute-forces address space layout randomization (ASLR) protections by guessing base addresses for libdsplibs.so.\n\nSuccessful exploitation results in unauthorized access to the underlying system.\n\n\nExposure:\nAs of April 2025, Shodan scans indicated over 4,000 vulnerable instances exposed online.\n\n\n---\n\nCVE-2024-53704: Authentication Bypass in SonicWall SSL VPN\n\nAnother significant threat emerged with CVE-2024-53704, a critical authentication bypass vulnerability impacting SonicWall\u2019s SSL VPN solutions based on SonicOS versions 7.1.x (through 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035.\n\nDiscovered by Computest Security in November 2024 and patched in January 2025, this flaw allows attackers to hijack active VPN sessions by manipulating Base64-encoded session cookies \u2014 bypassing even multi-factor authentication (MFA) mechanisms.\n\nAttack Technique:\n\nBy inserting 32 null bytes encoded in Base64 into the swap cookie of a GET request, adversaries can effectively impersonate legitimate users without valid credentials.\n\nDespite available patches, thousands of systems remained unpatched into early 2025. According to Bishop Fox, more than 4,500 SonicWall VPN instances were still exposed as of February 2025.\n\n\n---\n\nCVE-2025-0282 and CVE-2025-0283: Stack-Based Buffer Overflows in Ivanti Products\n\nIn January 2025, Ivanti disclosed two additional vulnerabilities:\n\nCVE-2025-0282 (CVSS 9.0): Unauthenticated stack-based buffer overflow enabling remote code execution.\n\nCVE-2025-0283 (CVSS 7.0): Local privilege escalation via stack-based buffer overflow.\n\n\nAffected products included Ivanti Connect Secure, Policy Secure, and Neurons for Zero Trust Access (ZTA) gateways.\n\nExploitation Insights:\n\nPublic exploits, such as the one by sfewer-r7, target specific product versions with tailored ROP (Return-Oriented Programming) chains.\n\nSuccessful exploitation allows execution of operating system commands under non-root privileges, confirming breach activity.\n\n\nNotably, the exploit requires multiple attempts due to ASLR protections but ultimately grants unauthorized access if persistence is maintained.\n\n\n---\n\nCVE-2025-20212: Cisco Meraki AnyConnect VPN Denial-of-Service Vulnerability\n\nCisco disclosed CVE-2025-20212, a high-severity DoS vulnerability affecting AnyConnect VPN servers on Meraki MX and Z series devices.", "creation_timestamp": "2025-04-27T05:42:31.000000Z"}]}