The week's threat activity underscored a rapidly evolving landscape, with new KEV additions, and state-backed espionage operations targeting critical industries.  This week, CISA expanded its KEV catalog with four high-risk vulnerabilities; three impacting Citrix NetScaler and Session Recording and one targeting the widely used Git version control system, underscoring the growing urgency for switch patch management.  

Botnet activity has seen a sharp surge, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st exploiting flaws in GitLab, cloud gateways, and PHP-based applications, while IoT botnets such as Mirai, Bashlite, Tsunami, and BrickerBot aggressively targeted EirD1000 routers to establish persistence and enable lateral movement highlighting a widening attack surface across both enterprise and consumer networks.

From stealthy malware to state-backed intrusions, recent campaigns show rising threats against critical industries and infrastructure, underscoring the need for proactive defense. Fortinet FortiGuard Labs flagged renewed Gayfemboy malware activity exploiting flaws in DrayTek, TP-Link, Raisecom, and Cisco, while CrowdStrike linked MURKY PANDA to cloud-based espionage with zero-days and revealed that Glacial Panda is targeting telecoms to steal call records via privilege escalation flaws.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-7775
A Memory Overflow Vulnerability in Citrix NetScaler allows for remote code execution and potential denial-of-service attacks. Exploitation is possible under specific conditions, including configurations where NetScaler is deployed as a Gateway, AAA virtual server, load balancer with IPv6 bindings, or cache redirection server with type HDX. As of August 26, 2025, Cloud Software Group, confirmed that the flaw has been exploited as a zero-day in the wild against unpatched appliances. With no available mitigations, the vendor strongly urged customers to upgrade to fixed firmware versions immediately. The vulnerability has also been added to the CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the critical need for rapid remediation.

CVE-2025-48384
A Link Following Vulnerability has been identified in Git, one of the most widely used distributed version control system that underpins both open-source and enterprise software development by managing source code at scale. With a high CVSS Score of 8.0, this flaw arises from Git's inconsistent handling of carriage return (CR) and line feed (LF) characters in configuration files. Specifically, a mismatch between how Git reads and writes these values can be exploited by attackers, enabling malicious manipulation of configuration paths and file redirections. This vulnerability, now added to the CISA KEV catalog, poses a serious risk as a publicly available proof-of-concept (PoC) increases the likelihood of active exploitation in real-world environments.

CVE-2024-8068  
An Improper Privilege Management Vulnerability has been discovered in Citrix Session Recording that enables privilege escalation to the NetworkService Account potentially allowing an attacker to gain elevated access within the environment. Citrix addressed the issue in November 2024 by releasing hotfixes across both the Current Release (CR) and Long Term Service Release (LTSR) branches as part of its routine security updates. According to research by watchtower, the root cause lies in the Session Recording component, a Windows service that handles recording files received from endpoints with session recording enabled. Successful exploitation requires the attacker to be an authenticated user within the same Windows Active Directory domain as the recording server. With a public proof-of-concept (PoC) available, the vulnerability recently added to the CISA KEV catalog, the likelihood of exploitation in enterprise environments is significantly elevated.

CVE-2024-8069
A Deserialization of Untrusted Data Vulnerability in the Citrix Session Recording, enables remote code execution under the privileges of the NetworkService account. The flaw originates in the Session Recording component, a Windows service responsible for processing session recording files received from endpoints with recording enabled. Exploitation requires the attacker to be an authenticated user within the same Windows Active Directory domain as the recording server. Citrix had already addressed this issue in November 2024 through hotfixes issued for both Current Release (CR) and Long Term Service Release (LTSR) branches as part of its security updates. With a public proof-of-concept (PoC) available and its recent inclusion in CISA KEV catalog, the risk of exploitation has significantly increased, underscoring the urgency for organizations to verify timely patch deployment.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

The resurgence of Gayfemboy botnet
Fortinet FortiGuard Labs has been tracking a stealthy malware strain that exploits a range of vulnerabilities to infiltrate systems. Initially disclosed by a Chinese cybersecurity firm under the name "Gayfemboy", the malware resurfaced in July 2025 with renewed activity, this time targeting vulnerabilities across multiple vendors including DrayTek, TP-Link, Raisecom, and Cisco. FortiGuard observed that the related payload exhibited signs of evolution in both form and behavior, enabling exploitation of several products such as exhibited signs of evolution in both form and behavior, enabling exploitation of several products such as DrayTek Vigor2960, Vigor3900, Vigor300B; TP-Link Archer AX21; Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300; and Cisco ISE and ISE-PIC. The campaign has been observed spanning Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam, with its scope extending across critical sectors such as Manufacturing, Technology, Construction, and Media/Communications. While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that significantly enhance both its complexity and ability to evade detection. This evolution reflects the growing sophistication of modern malware campaigns and underscores the urgent need for proactive, intelligence-driven defense strategies.  

CrowdStrike Warns of MURKY PANDA Operations
CrowdStrike's Counter Adversary Operations has identified ongoing cyberespionage activity linked to MURKY PANDA, a China-nexus threat group active since at least 2023. The adversary has primarily targeted government, technology, academic, legal and professional services organizations in North America, often exploiting internet-facing appliances and rapidly weaponizing both n-day and zero-day vulnerabilities, including CVE-2023-3519 in Citrix NetScaler ADC and Gateway. The group's operations, closely aligned with espionage campaigns tracked by industry as Silk Typhoon, appear to be intelligence-driven, with past incidents involving the exfiltration of emails and sensitive documents. By targeting cloud environments and their supply chains, MURKY PANDA poses a sustained and significant threat to organizations handling high-value information.

Rise of Glacial Panda
CrowdStrike reports a 130% rise in nation-state activity targeting the telecommunications sector, driven by the intelligence value of such networks. The Chinese-linked actor Glacial Panda has conducted intrusions across multiple countries, focusing on Linux-based and legacy telecom systems. The group exploits internet-facing servers, weak credentials, and known vulnerabilities like CVE-2016-5195 (Dirty COW) and CVE-2021-4034 (PwnKit), while deploying trojanized OpenSSH components called ShieldSlide to capture credentials and maintain stealthy backdoor access. This activity underscores the critical need for telecom organizations to strengthen system hardening, patch management, and continuous monitoring to mitigate persistent nation-state threats.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/08/25/cisa-adds-three-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/08/26/cisa-adds-one-known-exploited-vulnerability-catalog  
3. https://securitylabs.datadoghq.com/articles/git-arbitrary-file-write/  
4. https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/  
5. https://www.fortinet.com/blog/threat-research/iot-malware-gayfemboy-mirai-based-botnet-campaign  
6. https://www.crowdstrike.com/en-us/blog/murky-panda-trusted-relationship-threat-in-cloud/  
7. https://go.crowdstrike.com/rs/281-OBQ-266/images/Threat-Hunt-Report-2025.pdf