On March 3, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming their exploitation in the wild.

GreyNoise provided visibility into these vulnerabilities before their addition to KEV, giving defenders an early advantage. 

SEE MALICIOUS IPS: CVE-2022-43939 SEE MALICIOUS IPS: CVE-2022-43769

SEE MALICIOUS IPS: CVE-2024-4885

Observed Exploitation

CVE-2022-43939 (Authorization Bypass) & CVE-2022-43769 (Special Element Injection)

Hitachi Vantara Pentaho BA Server Vulnerabilities 

Observed activity is identical across both CVEs: 

  • First Observed Exploitation: December 6, 2024
  • Most Recent Exploitation: February 28, 2025
  • IP Count & Classification: 15 (100% malicious)
  • Top 3 Source Countries: Singapore, Hong Kong, United States
  • Top Tags:
    • Apache Airflow Example DAG RCE Attempt 
    • Apache Airflow Experimental API Access Check
    • Apache Airflow Remote Command Injection Attempt
    • 3CX Management Console LFI Attempt
    • 74CMS SQL Injection Attempt

BLOCK MALICIOUS IPS: CVE-2022-43939 BLOCK MALICIOUS IPS: CVE-2022-43769

CVE-2024-4885

Progress WhatsUp Gold Path Traversal Vulnerability

  • First Observed Exploitation: December 6, 2024 (Same date as CVE-2022-43939 & CVE-2022-43769)
  • Most Recent Exploitation: March 2, 2025
  • IP Count & Classification: 8 (100% malicious) 
  • Top 3 Source Countries: Hong Kong, Russia, Brazil
  • Top Tags:
    • Progress WhatsUp Gold RCE Attempt
    • GeoServer Scanner
    • TLS/SSL Crawler

BLOCK MALICIOUS IPS: CVE-2024-4885

Recommendations for Defenders

  • Patch immediately – Apply vendor patches as soon as possible. If patching isn’t feasible, implement available mitigations. 
  • Monitor for exploitation – Review logs for signs of scanning, reconnaissance, or unauthorized access related to these CVEs.
  • Block known malicious IPs – GreyNoise tracks attacker IPs involved in exploitation. Organizations should use this intelligence to proactively block threats. 
  • Reduce attack surface – Restrict internet exposure for vulnerable services and enforce strict access controls.

GreyNoise Continues to Track These Threats

GreyNoise tagged these vulnerabilities before KEV inclusion, reinforcing the importance of real-time attack intelligence. 

— — — 

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relation.
This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account