This week, multiple critical security issues have emerged across widely used platforms, highlighting the need for urgent action by administrators.  Craft CMS has been targeted via a remote code execution flaw, enabling attackers to deploy unauthorized payloads including cryptocurrency miners and proxyware, compromising system integrity and resource usage. Concurrently, a severe arbitrary file upload vulnerability affecting all versions of the TI WooCommerce Wishlist plugin remains unpatched. With over 100,000 active installations, this poses a significant risk to WordPress-based e-commerce platforms, and immediate plugin deactivation is strongly recommended. Additionally, ASUS router models RT-AC3100, RT-AC3200, and RT-AX55 are being exploited at scale through an OS command injection vulnerability. System administrators are advised to apply firmware updates and manually audit affected devices to eliminate latent threats.

Botnet activity saw a significant spike, with threats like EnemyBot, Sysrv-K, Andoryu, and Androxgh0st exploiting vulnerabilities in platforms such as Cloud Gateway, GitLab, and PHP-based services. Simultaneously, IoT malware strains including Bashlite, BrickerBot, Tsunami, and Mirai actively targeted Eir D1000 modems, swiftly expanding their foothold across connected devices.  

A sharp uptick in advanced threat activity has been observed across multiple sectors, with both financially motivated and state-aligned actors leveraging zero-days and unpatched vulnerabilities to target critical systems. DragonForce ransomware actors breached MSP environments by exploiting flaws in SimpleHelp, while ViciousTrap weaponized a Cisco router vulnerability to create a global honeypot network. A financially motivated group named "Mimo" abused a Craft CMS flaw to deploy cryptominers and proxyware.  China-linked actors were also active, UNC5221 exploited Ivanti EPMM flaws for credential theft and lateral movement, while UAT-6382 targeted U.S. local governments via a Trimble Cityworks zero-day. Simultaneously, over 9,000 ASUS routers were compromised by the “AyySSHush” botnet through legacy command injection vulnerabilities. These campaigns highlight the urgency of patching known flaws and hardening exposed infrastructure.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-32432
A critical Remote Code Execution Vulnerability in the Craft CMS, assigned a CVSS Score of 10.0, has been actively exploited by a financially motivated threat actor to deliver multiple malicious payloads. By sending specially crafted requests, attackers gain unauthorized access to vulnerable systems, allowing them to deploy a cryptocurrency miner, a customer loader known as Mimo Loader, and residential proxyware. These components are used to hijack system resources and internet bandwidth for cryptojacking and proxyjacking activities. Although Craft CMS released security fixes in versions 3.9.15, 4.14.15, and 5.6.17 some time ago, systems that remain unpatched continue to face a high risk of compromise. Organizations still running outdated versions are strongly advised to upgrade immediately to prevent further abuse.  

CVE-2025-47577
A critical Arbitrary File Upload Vulnerability has been discovered in the TI WooCommerce Wishlist plugin for WordPress, which could allow unauthenticated attackers to upload malicious files to affected websites. With over 100,000 active installations, this plugin enables online shoppers to save and share their favorite products. Assigned with the maximum CVSS Score of 10.0, the flaw impacts all versions up to and including 2.9.2, released on November 29, 2024. As no patch is currently available, users are strongly advised to immediately deactivate and remove the plugin from their WordPress installations to mitigate the risk of exploitation.

CVE-2023-39780
An OS Command Injection Vulnerability affecting ASUS router models RT-AC3100, RT-AC3200, and RT-AX55 has been actively exploited in a large-scale attack campaign. Assigned with a high CVSS score of 8.8, the flaw enables attackers to gain control over vulnerable devices and potentially recruit them into a botnet. Although ASUS has released firmware updates to patch the issue, devices compromised before the updates were applied may remain at risk. To fully mitigate the threat, users are strongly advised to manually review their SSH settings and remove any unauthorized keys to prevent persistent backdoor access.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

CVE-2025-0994
A China-linked threat group identified as UAT-6382 has been observed exploiting a vulnerability in Trimble Cityworks software to launch targeted attacks against local government networks in the United States, according to a report from Cisco Talos. The exploited flaw, CVE-2025-0994, is a deserialization vulnerability in Microsoft Internet Information Services (IIS) web servers that allows remote code execution (RCE). Cisco Talos' investigation confirms that UAT-6382 had been leveraging this zero-day since early 2025 to infiltrate enterprise environments associated with U.S. local government entities. While Trimble and CISA initially released indicators of compromise (IoCs) in relation to exploitation, they did not publicly attribute the activity to any specific actor. However, Talos has since linked the campaign to UAT-6382 based on significant IoC overlap. The findings underscore the group’s strategic focus on municipal infrastructure and utilities, potentially for purposes aligned with cyber espionage or strategic disruption. Organizations using Trimble Cityworks are strongly urged to apply the latest patches and monitor related IoCs to mitigate risk.

Ivanti EPMM Vulnerabilities exploited by UNC5221

Researchers at EclecticIQ have uncovered a campaign attributed to the China-linked threat group UNC5221, which exploited two newly disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM)- CVE-2025-4427 and CVE-2025-4428 to target organizations across Europe, North America, and the Asia-Pacific region. Ivanti confirmed that these flaws can be chained together to enable unauthenticated remote code execution. UNC5521 leveraged this access to steal personally identifiable information (PII) and credentials, allowing for lateral movement within compromised networks.  

The attackers were observed using legitimate system tools to evade detection and focused their efforts on mobile device management environments. As part of their post-exploitation toolkit, they deployed Fast Reverse Proxy (FRP) to establish a reverse SOCKS5 proxy for persistent remote access and used KrustyLoader to install the Sliver backdoor, a known red-teaming framework. The group also issued shell commands for reconnaissance and to obscure their activity in real-time, likely using HTTP GET requests to exfiltrate data before removing forensic artifacts. Ivanti has issued patches for the flaws, and users are strongly advised to apply updates immediately to defend against ongoing exploitation.

CVE-2025-32432
A newly observed financially motivated threat actor has been exploiting a recently disclosed remote code execution vulnerability tracked as CVE-2025-32432, in the Craft Content Management System (CMS) to carry out a multi-payload cyber campaign. According to a report by Sekoia, the attackers leveraged this flaw to gain unauthorized access to vulnerable systems, deploying a web shell to establish persistent remote control.  

Following initial access, the threat actor delivered a custom executable referred to as Mimo Loader. This loader modifies the critical system file /etc/ld.so.preload, which is read by the dynamic linker during program execution. By altering this file, the loader conceals the presence of a malicious shared object file named alamdar.so, effectively hiding the malware process from detection.  

The main objective of the Mimo Loader is to install two monetization tools on compromised hosts: the XMRig cryptocurrency miner and IPRoyal proxyware. These tools allow the attackers to profit in two ways: cryptojacking, by hijacking ystem resources for illegal cryptocurrency mining; and proxyjacking, by selling the victim’s internet bandwidth through proxy services. Sekoia attributed the exploitation to a Turkish IP address (85.106.113[.]168) and noted open-source intelligence linking the threat actor, Mimo, to a physical location in Turkey.

DragonForce Exploits SimpleHelp Vulnerabilities in Sophisticated Supply Chain Breach

Sophos Managed Detection and Response (MDR) recently investigated a targeted cyberattack involving a Managed Service Provider (MSP), where a threat actor exploited vulnerabilities in the MSP's remote monitoring and management (RMM) tool, SimpleHelp, to deploy DragonForce ransomware across multiple systems. According to Sophos, the attackers are believed to have leveraged an exploit chain involving three vulnerabilities disclosed in January 2025: CVE-2024-57726, CVE-2024-57727 and CVE-2024-57728. By compromising SimpleHelp, a widely used commercial remote support solution favored by MSPs for managing client environments, the adversaries not only encrypted data across several endpoints but also exfiltrated sensitive information to execute a double extortion scheme. Sophos urges all users to update their SimpleHelp deployments to the latest patched version to mitigate further risk.

CVE-2023-20118
Sekoia researchers have uncovered that a threat actor dubbed ViciousTrap has been actively exploiting CVE-2023-20118, a critical vulnerability affecting Cisco Small Business routers, to compromise roughly 5,300 network edge devices across 84 countries. These infected systems have been repurposed into nodes of a honeypot-style network. While the campaign's exact motive remains unclear, Sekoia  assesses with high confidence that the underlying infrastructure is designed to intercept, observe, and analyze exploitation attempts and malicious payloads traversing through the compromised routers. This behavior points toward a likely cyber espionage or reconnaissance objective, as opposed to traditional financially motivated attacks.  

CVE-2023-39780
‍GreyNoise researchers have uncovered a widespread campaign involving a novel botnet dubbed "AyySSHush", which has compromised over 9,000 ASUS routers and is also targeting SOHO devices from Cisco, D-Link, and Linksys. Detected in mid-March 2025, the operation bears the characteristics of a nation-state actor, though attribution remains inconclusive. The attackers employ a multi-pronged approach, brute-forcing login credentials, bypassing authentication, and exploiting known vulnerabilities to infiltrate vulnerable routers, specifically ASUS models such as RT-AC3100, RT-AC3200, and RT-AX55. A key part of the attack chain involves exploiting CVE-2023-39780, a command injection flaw that enables the threat actors to inject their own SSH public key and activate the SSH daemon on the non-standard port 53282. This modification ensures persistent access, even surviving device reboots and firmware upgrades. While ASUS has released security patches addressing CVE-2023-39780, patch availability may differ across models. Users are strongly advised to update their firmware immediately and inspect their devices for unauthorized modifications, particularly the presence of attacker-added SSH keys in the authorized_keys file.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers  
2. https://blog.sekoia.io/the-sharp-taste-of-mimolette-analyzing-mimos-latest-campaign-targeting-craft-cms/  
3. https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce-wishlist-plugin/  
4. https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/  
5. https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/  
6. https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/