This week saw a sharp rise in exploitation activity with 11 new vulnerabilities added to the CISA KEV catalog, including six Microsoft zero-day vulnerabilities, three critical Ivanti Endpoint Manager flaws, and two Advantive VeraCore vulnerabilities Additionally, critical vulnerabilities in FreeType and Apple WebKit were found under active attack, highlighting ongoing risks to both enterprise and consumer platforms.  

Botnet activity surged significantly this week, with EnemyBot, Sysrv-K, Andoryu, and Androxgh0st exploiting flaws in Spring Cloud Gateway, GitLab, and PHP, while Bashlite, BrickerBot, Tsunami, and Mirai ramped up attacks on Eir D1000 modems, signaling persistent IoT threats.

Multiple active threats were observed this week across diverse sectors and platforms. The newly identified "EvilLoader" exploit is actively targeting Telegram for Android, and Blind Eagle (APT-C-36) continuing attacks on Colombian institutions. The Ballista botnet is exploiting a TP-Link Archer router RCE vulnerability, while SideWinder APT targets maritime, nuclear, telecom, and diplomatic entities across Asia, Middle East, and Africa. These developments highlight the growing threat landscape and reinforces the urgency for organizations to stay updated with security patches.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.

CVE-2025-24201

An Out-of-Bounds Write Vulnerability in the WebKit web browser engine component could allow remote attackers to craft malicious web content, capable of breaking out of the Web Content sandbox, potentially leading to arbitrary code execution or system compromise. Apple confirmed that this vulnerability has been actively exploited in the wild as a zero-day as part of extremely sophisticated attacks, highlighting its critical nature. To address this issue, Apple has released fixed versions:  visionOS 2.3.2, iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, and Safari 18.3.1, urging the users to apply patches immediately to mitigate the risk of exploitation.

CVE-2025-24983

A Use-After-Free Vulnerability in the Microsoft Windows Win32k Kernel Subsystem has been identified, allowing a local, authorized attacker to elevate privileges on affected systems. Rated with a high CVSS Score of 7.0, this vulnerability was actively exploited in the wild as zero-day. Acknowledging this, Microsoft addressed this vulnerability in its March 2025 Patch Tuesday security update. Due to confirmed active exploitation, the vulnerability has also been added to the CISA's Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply patches promptly to mitigate the associated risks.

CVE-2025-24984

An Information Disclosure Vulnerability in the Microsoft Windows NTFS allows attackers with physical access to a device to exploit this flaw by inserting a malicious USB drive, enabling them to read portions of heap memory and steal sensitive information. This vulnerability was actively exploited in the wild as zero-day. Microsoft addressed this issue as of its March 2025 Patch Tuesday security updates. Given its active exploitation, the vulnerability has also been added to the CISA KEV catalog.

CVE-2025-24985

An Integer Overflow Vulnerability in the Microsoft Windows Fast FAT file system allows an unauthorized attacker to execute arbitrary code locally. By convincing a user to mount a specially crafted virtual hard disk (VHD), an attacker can trigger this flaw and gain code execution on the affected system. Rated with a high CVSS Score of 7.8, this vulnerability was actively exploited in the wild as a zero-day. Microsoft addressed this issue in its March 2025 Patch Tuesday security update. Due to its evidence of potential exploitation, the vulnerability has been added to the CISA KEV catalog.

CVE-2025-24991

An Out-of-Bounds Read Vulnerability in Microsoft Windows NTFS allows a local, authorized attacker to disclose sensitive information by reading portions of heap memory. Microsoft noted that attackers could exploit this flaw by tricking users into mounting a specially crafted malicious VHD file. Actively exploited in the wild as a zero-day, this vulnerability was patched by Microsoft in the March 2025 Patch Tuesday security update and has been added to the CISA KEV catalog.  

CVE-2025-24993

A Heap-Based Buffer Overflow Vulnerability in the Microsoft Windows NTFS allows an unauthorized attacker to achieve local code execution by enticing a user to mount a specially crafted VHD file. Rated CVSS 7.8 High, this vulnerability has been actively exploited in the wild as zero-day. Microsoft addressed and patched the flaw in its March 2025 Patch Tuesday security update, and it has been added to the CISA KEV catalog.  

CVE-2025-25181

An SQL Injection Vulnerability in Advantive VeraCore allows remote attackers to execute arbitrary SQL commands, potentially leading to database compromise and unauthorized access to sensitive information. This flaw affects all versions up to and including 2025.1.0 and remains unpatched as of now. Notably, threat actor XE Group was actively exploiting this vulnerability as a zero-day to deploy web shells, enabling them to maintain persistent access to compromised systems for over four years in some instances. Due to its critical nature and confirmed exploitation, this vulnerability has been added to the CISA KEV catalog, underscoring the urgent need for organizations using VeraCore to implement mitigations and strengthen defenses.  

CVE-2025-26633

An Improper Neutralization Vulnerability in the Microsoft Windows Management Console (MMC) allows an unauthorized attacker to locally bypass security features. Successful exploitation requires user interaction, where attackers must convince a user to click a malicious link or open a crafted file, enabling them to circumvent security restrictions and gain unauthorized access to administrative tools or system settings. Rated with a high CVSS Score of 7.8, this vulnerability was actively exploited as zero-day. Microsoft released a fix as part of the March 2025 Patch Tuesday security updates, and the flaw has been added to CISA KEV catalog.  

CVE-2025-27363

An Out-of-Bounds Write Vulnerability in the FreeType font rendering library, affecting versions 2.13.0 and below, allows remote attackers to achieve code execution, earning a high CVSS Score of 8.1. This flaw impacts a wide range of platforms, including GNU/Linux, FreeBSD, NetBSD, ChromeOS, ReactOS, as well as mobile platforms such as Android, Tizen and iOS. Additionally, widely used software components like Ghostscript and browser engines Chromium, WebKit, Gecko and Goanna are affected. Alarmingly, security advisories have indicated that this vulnerability may have already been exploited in the wild, significantly heightening the urgency for immediate remediation.

CVE-2024-13159

An Absolute Path Traversal Vulnerability in the Ivanti Endpoint Manager (EPM), specifically within the GetHashForWildcardRecursive method, allows remote, unauthenticated attackers to disclose sensitive information by manipulating file paths. This critical flaw, assigned a CVSS Score of 9.8, affects Ivanti EPM versions 2024 (November Security update and prior) and 2022 SU6 (November Security update and prior). This vulnerability has been added to the CISA KEV catalog, highlighting its critical nature.  

CVE-2024-13160

An Absolute Path Traversal Vulnerability in the Ivanti Endpoint Manager (EPM), specifically within the GetHashForWildcard() method, allows remote, unauthenticated attackers to disclose sensitive information by manipulating file paths. This critical flaw, assigned a CVSS Score of 9.8, affects Ivanti EPM versions 2024 (November Security update and prior) and 2022 SU6 (November Security update and prior). This vulnerability has also been added to the CISA KEV catalog recently.  

CVE-2024-13161

An Absolute Path Traversal Vulnerability in the Ivanti Endpoint Manager (EPM), specifically within the GetHashForSingleFile() method, allows remote, unauthenticated attackers to disclose sensitive information by manipulating file paths. This critical flaw, assigned a CVSS Score of 9.8, affects Ivanti EPM versions 2024 (November Security update and prior) and 2022 SU6 (November Security update and prior). This vulnerability has been added to the CISA KEV catalog, urging organizations to prioritize remediation efforts.

‍CVE-2024-57968

An Unrestricted File Upload Vulnerability in the  Advantive Veracore enables remote authenticated attackers to upload malicious files to unauthorized directories, potentially leading to remote code execution and full system compromise. Rated as critical with a CVSS Score of 9.9, this vulnerability affects versions prior to 2024.4.2.1. Although Advantive implemented a temporary mitigation in November 2024 by disabling the vulnerable upload functionality, a permanent fix is still pending. Threat actor XE Group was observed actively exploiting this vulnerability as a zero-day to deploy web shells, maintaining long-term unauthorized access for over four years in some cases. This vulnerability has therefore been added to the CISA KEV catalog, emphasizing the need for immediate remediation.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2024-7014

A newly discovered "EvilLoader" exploit targeting Telegram for Android is being actively exploited to deliver malware and expose users' IP addresses by disguising malicious code within video files. Building upon the previously patched "EvilVideo" vulnerability (CVE-2024-7014), EvilLoader uses .hmt extensions embedded in video files to redirect victims to malicious websites. When a user attempts to play the seemingly harmless video, an error message prompts them to open it in an external browser, which then leads to fake Play Storage pages or malware downloads. This unpatched vulnerability, present in Telegram Android version 11.7.4 and below, has been actively sold on underground forums and was first identified by security researcher 0x6rss. The exploit allows attackers to bypass Telegram's defenses, pushing malware directly through the app under the guise of video content, and continues to pose a serious threat to users.

CVE-2024-43451

Check Point Research has uncovered ongoing phishing campaigns by the APT group Blind Eagle (aka APT-C-36) targeting Colombian government and private institutions since November 2024. These campaigns leverage malicious .url files that mimic the behavior of CVE-2024-43451, a vulnerability that leaks NTLMv2 hashes, potentially enabling pass-the hash or relay attacks. While Blind Eagle's .url files do not directly exploit CVE-2024-43451, they initiate WebDAV requests when interacted with; including right-clicking or deleting, to notify attackers of file downloads. Once opened, the files download and execute a second-stage malware payload via additional WebDAV requests. Despite Microsoft patching CVE-2024-43451 on November 12, 2024, Blind Eagle adopted this technique within a week. The group has compromised over 1,600 victims, including Colombian judicial bodies and other organizations, and uses legitimate platforms like Google Drive, Dropbox, Bitbucket, and GitHub to distribute payloads. Blind Eagle's arsenal includes HeartCrypt-packed .NET RATs (variants of PureCrypter) and Remcos RAT as the final stage.

‍CVE-2023-1389

A new botnet campaign dubbed Ballista is actively targeting unpatched TP-Link Archer routers by exploiting a remote code execution vulnerability (CVE-2023-1389), according to Cato CTRL. First detected on January 10,2025, with the latest attempts seen on February 17, the botnet leverages a shell script (dropbpb.sh) to download and execute its main payload across various system architectures, including mips, mipsel, armv5l, armv7l, and x86_64. Once infected, the compromised routers establish an encrypted command-and-control (C2) channel on port 82, granting attackers remote control for further malicious activities.

‍CVE-2017-11882

An advanced persistent threat (APT) group known as SideWinder has been actively targeting maritime and logistics companies, along with nuclear, telecom, and diplomatic entities across South and Southeast Asia, the Middle East, and Africa, as observed by Kaspersky in 2024. Countries impacted include Bangladesh, Cambodia, Djibouti, Egypt, UAE, Vietnam, and India, among others. SideWinder leverages spear-phishing emails to deliver malicious documents that exploit the Microsoft Office Equation Editor vulnerability (CVE-2017-11882), a known vulnerability abused for initial access due to its reliability in executing malicious code. These attacks employ a .NET downloader to deploy StealerBot, a modular toolkit used to steal sensitive data. SideWinder remains a highly sophisticated actor, constantly enhancing its tools to evade detection and maintain persistence within victim networks.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/03/11/cisa-adds-six-known-exploited-vulnerabilities-catalog
2. https://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/  
3. https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar  
4. https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/  
5. https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/  
6. https://www.cisa.gov/news-events/alerts/2025/03/10/cisa-adds-five-known-exploited-vulnerabilities-catalog