Observations from this week indicate a growing shift toward rapid vulnerability of weaponization, with attackers targeting both current and unsupported systems to maximize impact. Three high-risk vulnerabilities were added to the CISA KEV catalog, including two zero-days impacting Fortinet FortiWeb and one affecting Google Chrome. Although previously patched, active exploitation was also observed in 7-Zip, emphasizing that remediation delays continue to offer attackers opportunities.

Botnet operators such as EnemyBot, Sysrv-k, Andoryu and Andorxgh0st expanded widespread campaigns against exposed cloud services, routers and web applications, leveraging both newly exposed and previously addressed weaknesses.

Meanwhile, Operation WrtHug compromised over 50,000 end-of-life ASUS routers underscoring the risks of relying on unsupported and unpatched network devices.

Key points:

• 3 new vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting recent exploitation activity.
• Active Exploitation detected in 7-ZIP vulnerability.  
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• 7 vulnerabilities were identified as being exploited by active malware campaigns, indicating weaponization by threat actors.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-11001

A File Parsing Directory Traversal Remote Code Execution Vulnerability in 7-Zip allows remote attackers to execute arbitrary code by exploiting improper handling of symbolic links in ZIP files, enabling traversal to unintended directories. Although the issue was addressed in version 25.00 released in July 2025, NHS England Digital has confirmed active exploitation in the wild. According to Trend Micro’s ZDI, attackers can leverage this flaw to run code in the context of a service account, posing significant risk. While technical details on the ongoing exploitation remain undisclosed, the existence of proof-of-concept exploits underscores the urgency for users to apply the patch without delay.

CVE-2025-13223

A Type Confusion Vulnerability in Google Chrome's V8 JavaScript engine that is currently being exploited in the wild, enabling attackers to corrupt the heap simply by luring users to a maliciously crafted webpage, making it a high-risk drive-by exploitation vector. While Google has not released technical details regarding the exploitation method, it has confirmed active abuse and strongly advises users to update immediately to the latest stable versions - 142.0.7444.175/.176 for Windows, 142.0.7444.176 for macOS and 142.0.7444.175 for Linux to reduce exposure. The vulnerability has also been added to the CISA KEV catalog, further underscoring its critical severity and urgency for patching.

CVE-2025-58034

An OS Command Injection Vulnerability in Fortinet FortiWeb affecting versions 8.0.0 to 8.0.1, 7.6.0 to 7.6.5, 7.4.0 to 7.4.10, 7.2.0 to 7.2.11 and 7.0.0 to 7.0.11 allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests or CLI commands. According to Fortinet, this low-complexity flaw requires no user interaction and has already seen active exploitation. While authentication is required, the risk is significantly elevated in environments relying on shared admin credentials, weak passwords, or external access integrations. Successful exploitation may result in full administrative takeover, persistent backdoor installation, manipulation of web traffic, lateral movement within protected networks, and exfiltration of sensitive data. The vulnerability has been added to the CISA KEV catalog, and Fortinet has released upgraded versions to address it.

CVE-2025-64446

A Path Traversal Vulnerability in Fortinet FortiWeb affecting 8.0.0 to 8.0.1, 7.6.0 to 7.6.4, 7.4.0 to 7.4.9, 7.2.0 to 7.2.11 and 7.0.0 to 7.0.11 allows unauthenticated attackers to execute administrative commands via crafted HTTP or HTTPS requests. First observed in early October 2025 through live exploitation of a FortiWeb honeypot, the flaw has been actively abused to create privileged accounts, with public proof of concepts demonstrating reliable impact. Analysis confirmed the vulnerability stems from a combination of path traversal and authentication bypass techniques. Fortinet has issued upgraded versions to address the issues, which has now been added to the CISA KEV catalog. Exploitation continues in the wild, highlighting the urgency of patch deployment.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analyzed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Large-Scale ASUS Router Exploitation

According to SecurityScorecard, a large-scale campaign dubbed Operation WrtHug has compromised more than 50,000 outdated or end-of-life ASUS routers globally over the past six months, with most infections observed in Taiwan, the U.S., and Russia. The attackers are believed to be exploiting multiple known vulnerabilities including CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2023-39780, CVE-2024-12912, and CVE-2025-2492 to take control of affected devices, all of which were found to share a unique self-signed TLS certificate set to expire 100 years from April 2022. Notably, CVE-2023-39780 has also been linked to the Chinese-origin botnet AyySSHush, with some compromised IPs showing overlap between the two operations. While attribution remains uncertain, the campaign’s focus on Taiwan and similarities with previous tactics used by China-affiliated ORB groups suggest possible ties. SecurityScorecard warns this reflects a rising trend of mass router exploitation by calculated threat actors seeking to expand global footholds.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week’s developments underscore how swiftly attackers are leveraging both newly uncovered flaws and previously patched vulnerabilities to establish persistence across enterprise and infrastructure ecosystems. Staying ahead of these tactics demands continuous monitoring paired with timely, actionable vulnerability intelligence. Loginsoft Vulnerability Intelligence (LOVI) empowers organizations to track exploitation trends in real time, enabling early detection, informed response, and enhanced resilience against active campaigns and evolving threat vectors.

FAQs:

1. What is Fortinet FortiWeb?

A. Fortinet FortiWeb is a Web Application Firewall (WAF) designed to protect web applications and APIs from threats such as SQL injection, cross-site scripting, and zero-day attacks. It provides advanced threat detection, bot mitigation, and application-layer security to safeguard critical web services across on-premises, cloud, and hybrid environments.  

2. What are the risks of using end-of-life (EoL) routers?

A. EoL routers no longer receive security patches or firmware updates, making them highly vulnerable to exploitation. Threat actors can easily target known, unpatched flaws to gain control of the device. Continued use of such routers significantly increases the risk of compromise, botnet infection, and network intrusion.

3. What is a PRE-NVD vulnerability, why is it considered effective for early detection?  

A PRE-NVD vulnerability refers to a security flaw identified before it’s officially analyzed and published in the National Vulnerability Database (NVD). It is effective for defenders because it provides early visibility, allowing faster patching and mitigation before widespread disclosure.

4. What does “PoC available” mean, and why does it increase risk for a vulnerability?

A. “PoC available” means a working exploit for the vulnerability has been publicly released, proving it can be abused. This helps defenders test and validate fixes, but it also gives attackers a ready-made blueprint, often leading to rapid and widespread exploitation if systems remain unpatched.  

5. What does inclusion in the CISA KEV catalog indicate about a vulnerability’s risk level?  

A. When a vulnerability is added to the CISA KEV catalog, it signifies that it is being actively exploited in real-world attacks and poses a serious, immediate risk. CISA includes only confirmed exploited vulnerabilities in this list to ensure organizations focus on patching the most dangerous threats first. Being listed means the flaw demands urgent remediation to prevent compromise across government and enterprise environments.