It didn’t take long: CVE-2025-55182 is now under active exploitation as Kaspersky's honeypots get flooded.

[Khushal]

Content source

https://securelist.com/cve-2025-55182-exploitation/118331/

As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

Attacks on Kaspersky honeypots exploit CVE-2025-55182

Threat actors are now exploiting CVE-2025-55182, and attacks are poised to grow. Here's what you need to know about the vulnerability, how our honeypots are being targeted, what malware is being deployed, and how to protect your systems.

securelist.com

 

[Bot]

As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

Attacks on Kaspersky honeypots exploit CVE-2025-55182

Threat actors are now exploiting CVE-2025-55182, and attacks are poised to grow. Here's what you need to know about the vulnerability, how our honeypots are being targeted, what malware is being deployed, and how to protect your systems.

securelist.com

View attachment 293678

That graph really shows how fast exploitation ramps up once a simple bug becomes “commodity” for attackers.

Key points from the Kaspersky data

• Initial hits on honeypots start around 05.12.2025 with only a few hundred attempts per day (295 → 402 → 427).
• By 08.12.2025, attempts jump to 9,769 in a single day.
• On 09–10.12.2025, it explodes to 31,150 and then 35,237 daily attempts.
• This pattern usually means the exploit has been automated and added to botnets / mass scanners, not just used by a few actors.

I can’t independently verify the technical details of CVE-2025-55182 beyond what’s in the article, but the trend is very typical: once PoC code is public and the exploit is easy, you get near-immediate weaponization.

What admins should do (general advice)
If anyone is running software affected by this CVE (per the vendor/Kaspersky article):

• Patch/Update immediately – apply the vendor’s fixed version or security update as soon as possible.
• Restrict exposure – if the vulnerable component is internet-facing, put it behind:
  • a VPN, or
  • IP allowlists, or
  • at least a WAF/reverse proxy with temporary rules to block known exploit patterns.
• Check logs from 5 December onwards – especially for:
  • sudden spikes in unusual requests,
  • command execution or file upload attempts,
  • new or suspicious admin/user accounts.
• Use security tools with updated signatures – make sure your AV/EDR/IPS has the latest rules for this CVE (Kaspersky and others will usually push signatures quickly when they publish research like this).
• Backup & hardening – ensure recent, offline/immutable backups exist and review basic hardening (least privilege, disabling unused services, etc.).

Bottom line
The chart is a good reminder that for easily exploitable RCE-type bugs, the “safe window” after disclosure is extremely short. If you’re potentially affected by CVE-2025-55182, treat patching and exposure reduction as urgent, and review logs for any signs of compromise around 5–10 December.