This week’s threat landscape saw a coordinated surge in real-world exploitation across multiple layers of enterprise infrastructure. CISA added nine vulnerabilities to its KEV catalog, flagging active abuse of three Qualcomm zero-days tied to Adreno GPU flaws, two ASUS router vulnerabilities (including token-based auth bypass and OS command injection), critical RCE chains in Craft CMS, and an improper authentication bug in ConnectWise ScreenConnect and a high-severity use-after-free flaw in Google Chrome’s V8 engine. Beyond the KEV additions, vBulletin forum software is under siege through template injection and unauthorized API access flaws, with public PoC exploit code raising serious concerns over unpatched deployments in the wild. Additionally, Roundcube Webmail is impacted by a critical authenticated RCE vulnerability stemming from improper validation in its upload mechanism, reports indicate the exploit has been actively sold on underground forums.

Botnet activity also surged significantly, as malware families like EnemyBot, Sysrv-K, Andoryu, and Androxgh0st ramped up exploitation efforts targeting known vulnerabilities in platforms including Cloud Gateway, GitLab, and various PHP-based services. In parallel, IoT-focused malware such as Bashlite, BrickerBot, Tsunami, and Mirai aggressively targeted Eir D1000 modems, rapidly expanding their control over exposed devices and amplifying the threat across internet-connected ecosystems.  

Advanced threat activity surged as CISA flagged new TTPs used by the Play Ransomware group, including double-extortion tactics and the exploitation of a flaw in the SimpleHelp remote-access tool. Simultaneously, Sekoia reported that over 9,500 ASUS routers were compromised via exposed SSH services in attacks linked to the ViciousTrap threat actor, reflecting the growing overlap between ransomware and IoT-focused operations.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-3935
An Improper Authentication Vulnerability in ConnectWise ScreenConnect, an extensively used remote IT administration tool, allows remote code execution if attackers gain access to and misuse the server's machine keys. With a high CVSS Score of 7.2, it affects versions 25.2.3 and earlier. In response, ConnectWise has released patched version 25.2.4 to remediate the issue. The company also disclosed that it was targeted in a cyberattack suspected to be orchestrated by a nation-state threat actor, prompting a full-scale forensic investigation led by Google Mandiant. Given its potential impact, the vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgent need for patching in affected systems.

CVE-2025-5419
An Out-of-Bounds Read and Write Vulnerability in the V8 JavaScript engine of Google Chrome allows a remote attacker to trigger heap corruption by luring victims to a specially crafted HTML page. With a high CVSS Score of 8.8, the flaw affects all Chrome versions prior to 137.0.7151.68. Google has released a security patch, urging users to update Chrome to version 137.0.7151.68/.69 for Windows and macOS, and 137.0.7151.68 for Linux. While Google acknowledged active exploitation in the wild as zero-day, it has not disclosed any proof-of-concept (PoC) or exploit code, underlining the urgency for prompt updates to prevent potential attacks. This vulnerability has also been added to the CISA KEV catalog, reinforcing the need for immediate remediation.  

CVE-2025-21479 and CVE-2025-21480
Incorrect Authorization Vulnerabilities in Qualcomm's multiple chipsets, specifically within the Adreno GPU micronode, allow for memory corruption via unauthorized command execution triggered by specific sequences of commands. Assigned with a high CVSS score of 8.6, these flaws pose significant security risks, especially given their active exploitation as zero-day vulnerabilities. While technical specifics regarding attack vectors, contexts, or the identity of the threat actors remain undisclosed, these vulnerabilities have been deemed critical enough for Qualcomm to release emergency patches. These vulnerabilities have been added to the CISA KEV catalog, indicating confirmed exploitation in the wild and urging device manufacturers and users to immediately apply the latest firmware and driver updates to minimize potential impact.

CVE-2025-27038
A Use-after-Free Vulnerability in the graphics component of Qualcomm’s multiple chipsets, specifically involving the Adreno GPU drivers used in Chrome, could lead to memory corruption during graphic rendering operations. Assigned with a high CVSS score of 7.5, this flaw is particularly concerning due to its active exploitation as a zero-day. While technical specifics such as the attack vector, execution context, or the identity of the threat actor remain undisclosed, Qualcomm has released a security update to address the issue. This vulnerability is listed in CISA's KEV catalog, confirming active exploitation and urging immediate firmware and driver updates.

CVE-2025-35939
An External Control of Assumed-Immutable Web Parameter Vulnerability in the Craft CMS allows unauthenticated attackers to inject arbitrary data such as malicious PHP code into session files on the server. This occurs during redirection to the login page, where the CMS creates session files under /var/lib/php/sessions, using a session identifier provided via the Set-Cookie header. The core issue lies in improper sanitization of return URLs, which enables this injection. When combined with other vulnerabilities like CVE-2024-58136 and CVE-2025-32432, the flaw may lead to remote code execution, significantly compromising the system. Craft CMS versions 5.7.5 and 4.15.3 have been released to patch this issue. It has also been added to the CISA KEV catalog, indicating active exploitation risk.

CVE-2025-48827
An Unauthenticated Remote Code Execution Vulnerability in the open-source forum software vBulletin allows attackers to invoke protected API controller methods without authentication by sending crafted requests to endpoints like /ajax/api/ad/replaceAdTemplate. Rated as critical with a CVSS Score of 10, this flaw affects vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later. Though quietly patched last year via Patch Level 3 for 5.7.5 and Patch Level 1 for the 6.x branch, many instances remain exposed due to lagging updates. With public proof-of-concept now released by Karma (In) Security and active exploitation observed in the wild, administrators must upgrade to the latest patched versions without delay.

CVE-2025-48828
An Unauthenticated Remote Code Execution Vulnerability in the open-source forum software vBulletin enables attackers to inject malicious PHP code into templates using crafted <vb:if> conditionals. The vulnerability affects vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when deployed on PHP 8.1 or later. Although the issue was discreetly patched last year in 5.7.5 Patch Level 3 and 6.x Patch Level 1, numerous installations remain at risk due to delayed updates. With a public proof-of-concept released by Karma (In) Security and active exploitation confirmed, immediate upgrades to the patched versions are strongly recommended to prevent compromise.

CVE-2025-49113
An Authenticated Remote Code Execution Vulnerability in the Roundcube Webmail stems from improper validation of _from parameter in the program/actions/settings/upload.php endpoint, which leads to PHP Object Deserialization. Having a critical CVSS Score of 9.9, this flaw affects versions prior to 1.5.10 and 1.6.x before 1.6.11. Recently disclosed by cybersecurity researchers, the vulnerability had remained undetected for over a decade, posing a significant risk to exposed systems. Successful exploitation enables authenticated attackers to execute arbitrary code and gain control over vulnerable installations. FearsOff’s CEO reported evidence of the exploit being actively sold in underground forums, indicating ongoing in-the-wild exploitation. Users are strongly advised to upgrade to the patched versions 1.6.11 or 1.5.10 LTS to mitigate this threat.

CVE-2024-56145
A Code Injection Vulnerability in the Craft CMS, enables unauthenticated remote code execution on affected systems. Rated as critical with a CVSS Score of 9.3, this flaw originates from improper input validation in the bootstrap/bootstrap.php file, where PHP’s register_argc_argv configuration allows query string parameters to be interpreted as CLI arguments via HTTP requests by populating the $_SERVER['argv'] array. This behavior allows attackers to manipulate paths like --templatesPath or --configPath, effectively bypassing Craft CMS’s sandboxing controls and leading to full system compromise. The issue has been addressed in versions 5.5.2, 4.13.2, and 3.9.14. Its inclusion in the CISA KEV catalog underscores the active exploitation risk and urgency for patching.

CVE-2023-39780
An OS Command Injection Vulnerability in ASUS RT-AX55 routers allows remote attackers to execute arbitrary system commands on affected devices. With a high CVSS Score of 8.8, this flaw affects firmware version 3.0.0.4.386.51598, and ASUS has issued a security update to patch this vulnerability. The vulnerability has been actively exploited in a stealthy botnet campaign dubbed AyySSHush, as revealed by security researchers at GreyNoise. The campaign has led to the compromise of over 9,000 ASUS routers, primarily models including RT-AC3100, RT-AC3200, and RT-AX55. Once compromised, the threat actors establish persistent and covert access without deploying external malware. The vulnerability has been added to the CISA KEV catalog, underscoring its active exploitation and the urgent need for patching and firmware updates to mitigate the associated risk.

CVE-2021-32030
An Improper Authentication Vulnerability in ASUS Routers allows unauthenticated attackers to gain unauthorized access to the router’s administrative interface. Having a critical CVSS Score of 9.8, this flaw affects Lyra Mini and GT-AC2900 devices. The vulnerability stems from improper validation of the asus_token session cookie within the handle_request function, particularly during the auth_check routine. If the asus_token begins with a null byte (0x00), the User-Agent string mimics an internal service (e.g., asusrouter--), and the router lacks a configured ifttt_token (i.e., in default state), the system incorrectly authenticates the request. This logic flaw enables attackers to bypass access controls, granting access to privileged administrative functions, and potentially leading to complete device compromise. Due to the End-of-Life (EoL) status of these products, users are strongly advised to upgrade to the last secure firmware versions: Lyra Mini 3.0.0.4_384_46630 and GT-AC2900 3.0.0.4.386.42643, as no further security patches will be issued. The vulnerability inclusion in the CISA KEV catalog emphasizes the active threat it poses and the critical need for mitigation.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

CVE-2024-57727
The FBI, in coordination with CISA and the Australian Signals Directorate's Cyber Security Centre, has issued an updated advisory on Play Ransomware as of June 4, highlighting its expanded victim list of over 900 organizations worldwide. The update details new tactics, techniques and procedures (TTPs) observed in recent Play Ransomware campaigns, including a critical double-extortion strategy and the exploitation of a recently disclosed vulnerability in the SimpleHelp remote-access tool.  

The exploited flaw, tracked as CVE-2024-57727, affects the SimpleHelp Remote Monitoring and Management (RMM) software. If left unpatched, it can serve as an entry point for attackers. The vendor patched the issue in January 2024, but organizations that have yet to apply the fix remain vulnerable to compromise.

CVE-2021-32030
On May 12, 2025, threat intelligence from Sekoia revealed that the exploit server 101.99.91[.]239 was actively targeting ASUS routers, specifically attempting to extract firmware details and gain unauthorized SSH access on port 53282 by leveraging the vulnerability CVE-2021-32030. Subsequent analysis indicated that over 9,500 ASUS routers running SSH services on the same port were potentially compromised, with attribution pointing to the ViciousTrap threat actor.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/06/03/cisa-adds-three-known-exploited-vulnerabilities-catalog
2. https://www.cisa.gov/news-events/alerts/2025/06/02/cisa-adds-five-known-exploited-vulnerabilities-catalog
3. https://www.cisa.gov/news-events/alerts/2025/06/05/cisa-adds-one-known-exploited-vulnerability-catalog
4. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
5. https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/
6. https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html  
7. https://threatprotect.qualys.com/2025/05/28/vbulletin-remote-code-execution-vulnerabilities-exploited-in-the-wild-cve-2025-48827-cve-2025-48828/