This week’s threat landscape was marked by a series of urgent security updates and active exploitation cases across major platforms. Samsung released patches for a critical vulnerability in its mobile devices that had been exploited as a zero-day, while Google addressed a high-severity flaw in its Chrome browser, also confirmed to be under active zero-day exploitation. In addition, researchers observed immediate exploitation attempts targeting a newly disclosed flaw in the Case Theme Users WordPress plugin, highlighting how quickly attackers move to weaponize fresh vulnerabilities. Meanwhile, vulnerabilities in Delmia Apriso and WhatsApp, which were added to CISA’s KEV catalog last week, continue to be actively exploited by threat actors.

Botnet activity has seen a sharp escalation, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st actively exploiting vulnerabilities in GitLab, cloud gateways, and PHP-based applications. Meanwhile, IoT-centric botnets such as Mirai, Bashlite, Tsunami, and BrickerBot are ramping up their campaigns, specifically targeting EirD1000 routers to gain persistence and facilitate lateral movement across networks.  

ESET researchers have reported HybridPetya, a Petya/NotPetya-inspired ransomware that continues the evolution of earlier strains by leveraging a vulnerability to compromise UEFI-based systems. Threat activity also persists, with attackers exploiting a flaw in LILIN DVRs to spread botnets like Chalubo, FBot, and Moobot. In addition, the ongoing exploitation of a SonicWall vulnerability remains a concern, as it has been directly linked to Akira ransomware intrusions targeting Australian organizations.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-5821
An Authentication Bypass Vulnerability in the Case Theme User WordPress plugin affecting versions up to and including 1.0.3, allowed unauthenticated actors to gain administrative access and view admin email addresses by abusing the plugin's Facebook-based login flow. Wordfence released a security update version 1.0.4 in August 2025 that resolves the vulnerability. but exploitation attempts began just one day after its public disclosure, highlighting the urgency of applying the fix. Since then, the Wordfence firewall has blocked more than 20,900 exploit attempts, with attackers typically registering a temporary account, escalating privileges to admin, and then deleting the account to erase traces. Organizations are strongly advised to update immediately, review access logs, and monitor for suspicious admin-level activity.

CVE-2025-10585
A Type Confusion Vulnerability has been identified in the V8JavaScript and WebAssembly engine, posing a serious security risk. Successful exploitation of this flaw could enable a remote attacker to bypass the browser’s security sandbox by luring users into visiting a specially crafted malicious webpage. Google has addressed the issue by releasing a new stable channel update, version 140.0.7339.185/.186 for Windows and Mac and 140.0.7339.185 for Linux. While Google has acknowledged that this vulnerability has been exploited as a zero-day in the wild, it has not disclosed any details regarding active campaigns linked to the attacks.

CVE-2025-21043
An Out-of-Bounds Write Vulnerability in Samsung's libimagecodec.quram.so component was identified impacting Samsung mobile devices running versions prior to SMR September 2025 Release 1. The flaw, caused by an incorrect implementation in the closed-source image parsing library developed by Quramsoft, Samsung confirmed the issue was being exploited as a zero-day and that an exploit was already circulating in the wild at the time of disclosure. The company remediated the vulnerability in its September 2025 Android security updates, though it did not publish further technical details about the active campaigns.

CVE-2025-5086
A Deserialization of Untrusted Data Vulnerability has been identified in the DELMIA Apriso, affecting releases from 2020 through 2025 and carrying a critical CVSS score of 9.0. Dassault Systèmes issued an advisory in June 2025, warning that the flaw could enable remote code execution in Apriso’s Manufacturing Operation Management (MOM) and Manufacturing Execution System (MES) platforms, which form the backbone of many industrial environments. Recently, researchers at SANS.edu have observed active exploitation attempts traced to IP 156.244.33(.)162. The attacks use SOAP POST requests targeting /apriso/WebServices/FlexNetOperationsService.svc/Invoke, embedding malicious objects in XML that decode into Windows executables. Organizations are strongly urged to apply the available patches, monitor for suspicious SOAP traffic and Base64 payloads, and restrict internet exposure of MOM/MES systems to reduce risk. The vulnerability has also been added to the CISA KEV catalog, underscoring its active exploitation and critical nature.

CVE-2025-55177
An Incorrect Authorization vulnerability in WhatsApp has been identified, allowing an unrelated user to force a target’s device into processing content from a malicious URL. The flaw impacted WhatsApp for iOS (prior to v2.25.21.73), WhatsApp Business for iOS (v2.25.21.78), and WhatsApp for Mac (v2.25.21.78) before being patched by the company, which has also begun issuing security notifications to individuals believed to have been targeted over the past three months. Although serious on its own, the risk was amplified when combined with Apple’s CVE-2025-43300, an out-of-bounds write vulnerability in the Image I/O framework affecting iOS, iPadOS, and macOS. This exploit chain enabled a sophisticated “zero-click” attack, requiring no user interaction, that has reportedly impacted both iPhone and Android users, including journalists and human rights defenders, highlighting the persistent risks posed by government spyware. The flaw has since been added to CISA KEV catalog.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-34130
360Netlab reported that since August 2019, its unknown threat detection system has observed multiple groups exploiting a zero-day vulnerability in LILIN DVRs to distribute botnets such as Chalubo, FBot, and Moobot. The exploited vulnerability is an arbitrary file read issue in /z/zbin/net_html.cgi. In February 2020, the manufacturer addressed the issue and released the firmware program 2.0b60_20200207 to patch the vulnerabilities. These findings underscore how unpatched or poorly secured IoT devices can become a persistent attack vector, fueling botnet operations for years.

CVE-2024-40766
The Australian Cyber Security Centre (ACSC) has issued an alert regarding the active exploitation of CVE-2024-40766, a critical vulnerability in SonicWall SSL VPNs that has been directly linked to Akira ransomware intrusions against Australian organizations. The flaw affects Gen 5, Gen 6, and Gen 7 SonicWall devices running vulnerable SonicOS versions, and successful exploitation can grant attackers unauthorized access to corporate networks or even crash the firewall, escalating the impact. According to the ACSC, threat actors are actively leveraging this weakness, with Akira ransomware groups increasingly using VPN vulnerabilities as entry points. Considering this, the agency is urging all organizations to immediately patch their devices, stressing that the latest security builds are available for download via mysonicwall.com.

CVE-2024-7344
ESET researchers uncovered HybridPetya on VirusTotal, a Petya/NotPetya-style ransomware that extends those tactics to UEFI-based systems by weaponizing CVE-2024-7344, the vulnerable Howyar reloader.efi loader. On unpatched machines the malware's installer drops a bootkit into the EFI System Partition that includes a modified bootloader, fallback loader, config/validation files, an exploit payload container, often delivered as an XOR-obfuscated cloak.dat) and a status file; the bootkit uses a three-state flag (0 = ready, 1 = encrypted, 2 = decrypted after ransom) and a \EFI\Microsoft\Boot\counter to track encrypted clusters. Its core routine encrypts the NTFS Master File Table (MFT) with Salsa20 while displaying a fake CHKDSK message to hide activity. Victims receive a ransom demand (US$1,000 in Bitcoin) and can enter a purchased key to trigger staged decryption and restoration of backed-up bootloaders; unlike NotPetya, HybridPetya can reconstruct decryption keys from installation artifacts. Selected variants exploit the insecure loading behavior of reloader.efi (renamed as bootmgfw.efi) to bypass Secure Boot, a deficiency Microsoft addressed by revoking the vulnerable binaries in its January 2025 update.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

‍

1. https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/  
2. https://www.wordfence.com/blog/2025/09/attackers-actively-exploiting-critical-vulnerability-in-case-theme-user-plugin/  
3. https://security.samsungmobile.com/securityUpdate.smsb  
4. https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-adds-one-known-exploited-vulnerability-catalog
5. https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/  
6. https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australia  
7. https://source.android.com/docs/security/bulletin/2025-09-01  
8. https://www.whatsapp.com/security/advisories/2025?