This week in cybersecurity saw critical developments across major vendors and platforms. The U.S. CISA added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog a Trend Micro Apex One management server flaw under active exploitation and Apple’s Image I/O zero-day. Researchers also reported the release of proof-of-concept exploits for two critical SAP NetWeaver vulnerabilities, raising concerns of enterprise abuse.

Botnet activity surged as EnemyBot, Sysrv-k, Andoryu, and Androxgh0st exploited flaws in GitLab, Cloud Gateway, and PHP-based apps, while IoT botnets like Mirai, Bashlite, Tsunami, and BricketBot mass-targeted EirD1000 routers to gain persistence and lateral movement.

On the malware front, Onapsis confirmed the weaponization of an exploit chain in SAP NetWeaver, enabling web shell deployment and stealthy LotL attacks. At the same time, Cisco Talos detailed a decade-long espionage campaign by Static Tundra, a Russian-linked group abusing a seven-year-old Cisco IOS flaw, and researchers observed attackers leveraging an Apache ActiveMQ vulnerability to deploy DripDropper malware while patching it post-compromise to lock out rivals.

Together, these developments highlight how attackers continue to exploit both cutting-edge zero-days and long-abandoned vulnerabilities to expand their operations.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-31324
An Unrestricted File Upload Vulnerability in SAP NetWeaver allows unauthenticated attackers to upload and execute malicious binaries. Although this vulnerability was exploited as a zero-day in April 2025 and patched immediately, Onapsis has now observed a new exploit chain in the wild that combines two critical flaws; CVE-2025-31324 and CVE-2025-42999. In this sequence, CVE-2025-31324 bypasses authentication to upload the payload, while CVE-2025-42999 unpacks and executes it with elevated privileges, leading to potential system compromise and data theft. Onapsis warns that the attackers show deep expertise in SAP environments and urges organizations to apply the latest patches issued, restrict internet exposure, and closely monitor SAP applications for suspicious activity.

CVE-2025-42999
A Deserialization Vulnerability in the SAP NetWeaver enables privileged attackers to deserialize untrusted content, compromising the confidentiality, integrity and availability of the host system. Initially exploited as zero-day in May 2025, and patched immediately, Onapsis has now observed a new exploit chain leveraging CVE-2025-31324 and CVE-2025-42999. The attack sequence uses CVE-2025-31324 to bypass authentication and upload a payload, followed by CVE-2025-42999 to unpack and execute it with elevated privileges, resulting in system compromise and potential data theft. Onapsis stresses that the threat actors demonstrate deep expertise in SAP environments and strongly advises organizations to apply patches immediately, limit internet exposure, and monitor SAP systems for indicators of compromise.

CVE-2025-43300
An Out-of-Bounds Write Vulnerability in the Apple's Image I/O framework, a core component for processing common image file formats, could allow attackers to craft malicious image files that trigger memory corruption and enable arbitrary code execution potentially leading to surveillance or full device compromise. Apple has patched the flaw in macOS Sonoma 14.7.8, macOS Ventura 13.7.8, macOS Sequoia 15.6.1, iOS 18.6.2, and iPadOS 17.7.10 / 18.6.2. While technical details, attacker identity, and victim profiles remain undisclosed, Apple confirmed awareness of reports indicating that this vulnerability was exploited as a zero-day in a highly sophisticated attack targeting specific individuals. The flaw has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, further emphasizing the need for immediate patching.

CVE-2025-54948
An OS Command Injection Vulnerability has been discovered in Trend Micro Apex One, which could allow a pre-authenticated remote attacker to upload malicious code and execute arbitrary commands. With a critical CVSS Score of 9.8, this flaw affects Apex One Management Server version 14039 and below, and Trend Micro has confirmed at least one exploitation attempt targeting this vulnerability. While upgraded versions have been released, a permanent patch is yet to be rolled out. Given Apex One's role as a widely deployed endpoint security platform, the risk of exploitation is significant, leading CISA to add the flaw to its KEV catalog, urging immediate remediation.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-31324 and CVE-2025-42999
According to Onapsis, a working exploit for CVE-2025-31324 and CVE-2025-42999 in SAP NetWeaver Visual composer has been publicly weaponized and is actively circulating.  Originally shared by the cybercriminal group Scattered LAPSUS$ Hunters - ShinyHunters on Telegram and later amplified by VX Underground on X, the exploit chains together two critical flaws CVE-2025-31324, an unrestricted file upload vulnerability, and CVE-2025-42999, an insecure deserialization bug. When combined, these allow attackers to execute arbitrary operating system commands with SAP administrator (adm) privileges, enabling deep access to sensitive business processes and data.  

Onapsis further warns that this exploit poses a heightened risk, as it can be abused not only to deploy web shells but also to launch living-off-the-land (LotL) attacks, where adversaries directly run system commands without leaving additional artifacts, significantly increasing stealth and persistence.

CVE-2023-46604
According to Red Canary, threat actors are actively exploiting a two-year-old flaw in Apache ActiveMQ; CVE-2023-46604 to gain persistent access to cloud-based Linux systems, deploying a previously unknown malware loader dubbed DripDropper. In a notable tactic, the attackers patch the very vulnerability they abuse, both to block rival intrusions and to evade detection. Once inside, they modify sshd configurations to enable root logins, granting elevated access for dropping DripDropper, a PyInstaller ELF binary protected by a password to resist analysis. The malware communicates with an attacker-controlled Dropbox account, blending into legitimate traffic while retrieving further instructions.

DripDropper delivers two payloads: one capable of process monitoring and continued Dropbox communication, maintained through persistence by altering the 0anacron file across multiple cron directories; and another that adjusts SSH configuration files as a backup access mechanism. Ultimately, the attackers download official patches for CVE-2023-46604 via Apache Maven, ensuring foothold remains secure while preventing other adversaries from exploiting the same entry point. Since CVE-2023-46604 was already addressed by Apache in October 2023, organizations running ActiveMQ must urgently apply the official patch, remove any unnecessary internet exposure, and review systems for signs of persistence to prevent long-term compromise.  

CVE-2018-0171
Cisco Talos has uncovered a decade-long cyber espionage campaign by "Static Tundra", a Russian state-sponsored threat actor linked to the FSB, which has been systematically exploiting unpatched and end-of-life Cisco devices. Believed to be a sub-cluster of the well-known Energetic Bear (aka BERSERK BEAR), the group shares strong overlaps in tactics and targeting and has also been associated with the infamous SYNgul Knock implant first revealed in 2015. Static Tundra primarily abuses CVE-2018-0171, a Smart Install flaw in Cisco IOS and IOS XE software, to gain initial access before exfiltrating startup configurations via TFTP, exposing credentials and SNMP strings that enable persistence and lateral movement.  

The threat actor demonstrates exceptional longevity, maintaining covert access for years through stealthy implants designed to survive device reboots, while targeting telecommunications, manufacturing, and higher education sectors across North America, Europe, Africa, and Asia, reinforcing its role as a sophisticated and persistent espionage threat.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/08/18/cisa-adds-one-known-exploited-vulnerability-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/08/21/cisa-adds-one-known-exploited-vulnerability-catalog  
3. https://support.apple.com/en-us/124925  
4. https://www.bleepingcomputer.com/news/apple/apple-emergency-updates-fix-new-actively-exploited-zero-day/
5. https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/  
6. https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt  
7. https://onapsis.com/blog/new-exploit-for-cve-2025-31324/  
8. https://blog.talosintelligence.com/static-tundra/