This week’s threat landscape underscores the persistent risks posed by legacy systems, unpatched software. CISA expanded its Known Exploited Vulnerabilities (KEV) catalog by adding three legacy vulnerabilities affecting D-Link devices, highlighting continued risk from end-of-life consumer hardware.

Concurrently, active exploitation was observed in Rejetto HTTP File Server (HFS), where attackers leveraged a server-side template injection flaw to deliver ransomware and trojans. Trend Micro released mitigations for two critical vulnerabilities in its Apex One (on-premise) management console, confirming at least one instance of attempted exploitation in the wild.  

On the botnet front, activity surged significantly. EnemyBot, Sysrv-k, Andoryu, and Androxgh0st launched aggressive campaigns targeting known flaws in GitLab, Cloud Gateway, and PHP-based applications. Simultaneously, IoT botnets including Mirai, Bashlite, Tsunami, and BricketBot exploited exposed EirD1000 routers, enabling lateral movement within enterprise environments through mass exploitation tactics.  

Rounding off the week, Kaspersky identified a stealthy AV killer tool used by ransomware operators, notably in a MedusaLocker incident in Brazil. In parallel, Farfli downloader, Zenpak trojan, and jqvtd ransomware were deployed via exposed Rejetto HFS 2.x servers, spotlighting the growing abuse of unpatched software in modern threat campaigns.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-54948 and CVE-2025-54987
Two Improper Neutralization of Special Elements Used in OS Command Vulnerabilities - CVE-2025-54948 and CVE-2025-54987, impact the Trend Micro Apex One (on-premise) management console. While both flaws are functionally similar, CVE-2025-54987 specifically targets a different CPU architecture. These vulnerabilities could allow pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected systems. Although technical exploitation details remain undisclosed, Trend Micro has confirmed at least one attempt to actively exploit one of these vulnerabilities. Mitigations for Apex One as a Service were applied on July 31,2025, while on-premise users have been provided a temporary fix tool, with a formal patch scheduled for release by mid-August 2025.

CVE-2024-23692
An Improper Neutralization of Special Elements Used in a Template Engine Vulnerability exists in Rejetto HTTP File Server (HFS) versions up to and including 2.3m, assigned with a critical CVSS score of 9.8. On July 19, Imperva reported a surge in exploitation attempts targeting these legacy versions. Attackers leveraged this vulnerability via the search parameter to achieve remote code execution. A singe HTTP request was enough to deploy ransomware and trojans without needing credentials. Multiple malware samples were observed, indicating widespread abuse of this flaw in the wild. As HFS 2.x is no longer supported, users are advised to upgrade to HFS version 3.

‍CVE-2022-40799
A Download of Code Without Integrity Check Vulnerability in the D-Link DNR-322L network video recorder, carrying a high CVSS score of 8.8. Present in firmware versions 2.60B15 and earlier, the flaw stems from a data integrity weakness in the "Backup Config" feature located under “Maintenance > System > Configuration Settings.” This oversight enables authenticated attackers to execute OS-Level commands remotely over the network. Although exploitation requires valid credentials, the severity of potential compromise remains high. Therefore, the vulnerability has been added to the CISA KEV catalog recently, underscoring its active exploitation  risk. Notably, D-Link has officially declared the DNR-322L to be at End of Life (EOL) and End of Service (EOS) in 2021, strongly advising users to retire and replace the device to mitigate security threats.

CVE-2020-25078
A Remote Password Disclosure Vulnerability in the D-Link DCS-2530L and DCS-2670L devices, enabling unauthenticated attackers to extract administrative credentials via an inadequately secured /config/getuser endpoint. Tracked with a high CVSS Score of 7.5, this flaw could potentially allow full remote control over the affected devices. D-Link addressed the issue in 2021 by releasing firmware updates; v1.07.00 Hotfix for the DCS-2530L and v2.03.00 Hotfix for the DCS-2670L. However, this vulnerability has now been added to the CISA KEV catalog. Notably, CISA also warned that these models may have reached end-of-life status, urging users to discontinue their use to avoid potential compromise.

CVE-2020-25079
A Command Injection Vulnerability in the D-Link DCS-2530L and DCS-2670L devices, specifically within the cgi-bin/ddns_enc.cgi endpoint.  With a high CVSS Score of 8.8, the flaw allows authenticated attackers to execute arbitrary commands on the system. Although it requires valid credentials, the vulnerability becomes significantly more dangerous when chained with CVE-2020-25078, which enables remote disclosure of admin passwords. This makes it possible for attackers to use the two flaws in sequence, resulting in full remote code execution. D-Link mitigated the issue in 2021 through the release of firmware updates v1.07.00 Hotfix for the DCS-2530L and v2.03.00 Hotfix for the DCS-2670L. Despite this, the vulnerability has now been added to the CISA KEV catalog. CISA has also highlighted that the affected products may have reached end-of-life, and strongly recommends discontinuing their use to prevent exploitation.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.

CVE-2025-7771
Kaspersky has uncovered a stealthy AV Killer tool actively used by ransomware actors, particularly in a recent MedusaLocker incident in Brazil. The threat abuses the legitimate ThrottleStop.sys driver in a BYOVD(Bring Your Own Vulnerable Driver) technique to disable antivirus defenses and gain kernel-level access.  

At the core of this campaign is the signed ThrottleStop.sys driver, originally developed by TechPowerUp to manage CPU throttling. Tracked as CVE-2025-7771, the vulnerable driver is weaponized by attackers to bypass kernel protections using Win32 DeviceIoControl calls, allowing direct memory access via MmMapIoSpace, manipulation of the NtAddAtom syscall, and execution of shellcode to terminate AV processes. The AV killer targets a hardcoded list of popular security products including Kaspersky, Microsoft Defender, CrowdStrike, ESET, Bitdefender, Sophos, SentinelOne, and others. It identifies and terminates these processes using kernel functions PsLookupProcessById and PsTerminateProcess.

While observed in Brazil, victims have also been identified in Russia, Ukraine, Belarus, and Kazakhstan. Kaspersky notes that this AV killer is not limited to a single group and has likely been adopted by multiple ransomware affiliates.  

CVE-2024-23692
Imperva's Threat Research Team observed a significant spike in HTTP probing on July 19, targeting vulnerable Rejetto HFS 2.x servers. Threat actors exploited an unauthenticated server-side template injection flaw in HFS 2.3m and earlier to achieve remote code execution and mass-deploy malware. Payloads were delivered from hxxp://151[.]242.152.91/ and included the Farfli downloader, Zenpak Trojan, and jqvtd Ransomware. Imperva linked the command-and-control infrastructure to Hong Kong, suggesting the activity was conducted by a single, coordinated threat group.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/08/05/cisa-adds-three-known-exploited-vulnerabilities-catalog
2. https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/  
3. https://securityonline.info/critical-hfs-2-x-flaw-cve-2024-23692-actively-exploited-legacy-file-server-becomes-a-ransomware-backdoor/  
4. https://www.imperva.com/blog/imperva-detects-and-mitigates-rejetto-hfs-spray-and-pray-ransomware-trojan-campaign/  
5. https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10305  
6. https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.html