This week witnessed a notable escalation in exploitation activity, as critical vulnerabilities across widely used platforms and services came under active attack. The Cybersecurity and Infrastructure Security Agency (CISA) added six high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog - two in the Linux Kernel and one each in Gladinet CentreStack, Microsoft Windows CLFS, CrushFTP, and Ivanti Connect Secure. These flaws enable a variety of high-impact exploits, including privilege escalation, remote code execution, and unauthorized access, many of which are already being weaponized in the wild. Organizations are strongly advised to prioritize patching efforts to mitigate exposure to these actively exploited threats.  

Simultaneously, botnet campaigns intensified across cloud infrastructure and IoT environments. Threat actors being EnemyBot, Sysrv-K, Andoryu, and Androxgh0st were observed targeting vulnerabilities in Cloud Gateway, GitLab and PHP environments. At the same time, established IoT botnets such as Bashlite, BrickerBot, Tsunami, and Mirai significantly ramped up attacks on internet-connected devices, most notably targeting EIR D1000 modems in an ongoing wave of compromise attempts.  

On the threat actor front, activity surged from both state-linked and financially motivated groups. Mandiant reported that UNC5221, a suspected China-based espionage actor, is actively exploiting an Ivanti vulnerability to deliver malware strains associated with the SPAWN malware ecosystem.  In parallel, Microsoft Threat Intelligence disclosed that Storm-2460 is exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS) to escalate privileges and deploy ransomware linking the activity to the PipeMagic backdoor and RansomEXX operations. Additionally, ToddyCat APT group was found exploiting a vulnerability in ESET antivirus software to deliver the stealthy TCESB malware, further emphasizing the growing trend of attackers targeting trusted security tools themselves to maintain persistence and evade detection.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

‍CVE-2025-22457

A critical Stack-Based Buffer Overflow Vulnerability (CVSS 9.0) was discovered in Ivanti's Connect Secure, Policy Secure, and ZTA Gateways. The flaw enables remote, unauthenticated attackers to execute arbitrary code on affected systems. Impacted versions include Pulse Connect Secure 9.1x (now End-of-Support), Connect Secure up to 22.7R2.5, Policy Secure up to 22.22.7R1.3, and ZTA Gateways up to 22.8R2. Ivanti addressed the issue by releasing security updates in versions 22.7R2.6 for Connect Secure and Pulse Connect Secure, 22.7R1.4 for Policy Secure, and 22.8R2.2 for ZTA Gateways. Given the high severity and exploitation potential, the vulnerability has been added to the CISA KEV catalog, urging immediate patching to prevent compromise.

‍CVE-2025-29824

A Use-After-Free Vulnerability was identified in the Microsoft Windows Common Log File System (CLFS) Driver. With a high CVSS Score of 7.8, this flaw enables a locally authorized attacker to escalate privileges on the affected system. The vulnerability impacts multiple versions of Windows, including various Windows Server editions and desktop operating systems. While Microsoft released security updates for most affected platforms, patches for Windows 10 x64-based and 32-bit systems were not immediately available, with Microsoft confirming that those updates will be issued as soon as possible. It is worth noting that the vulnerability was actively exploited in the wild as a zero-day and has since been added to the CISA KEV Catalog, reinforcing the urgency of deploying fixes to block exploitation paths already observed in the wild.

CVE-2025-30406

A Use of Hard-Coded Cryptographic Key Vulnerability in Gladinet CentreStack affects the way the application manages key used for ViewState integrity verification. With a critical CVSS Score of 9.0, this flaw enables attackers to forge ViewState payloads, leading the server-side deserialization and potential remote code execution. If the hard-coded machineKey is obtained or predicted, malicious actors can manipulate ViewState data to perform unauthorized actions and, in certain configurations, execute arbitrary code on the web server. The vulnerability has been exploited in the wild and has been added to CISA KEV catalog.

‍CVE-2025-31161

A critical Authentication Bypass Vulnerability (CVSS 9.8) was identified in CrushFTP, stemming from improper handling of HTTP authorization header. The flaw impacts versions 11.0.0 through 11.3.0 and 10.0.0 through 10.8.3. In response, CrushFTP advised users to upgrade to patched versions 10.8.4, 11.3.1, or newer to mitigate the risk. The vulnerability was initially discovered and responsibly reported to CrushFTP by researchers at Outpost24. However, due to premature information exposure and an uncoordinated disclosure process, proof-of-concept (PoC) exploits were released by various third parties. This led to active exploitation in the wild, targeting unpatched systems. As a result, the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog, emphasizing its severity and the need for immediate remediation.

‍CVE-2024-53150

An Out-of-Bounds Read Vulnerability in the Linux Kernel's USB-audio driver allows a local, privileged attacker to access potentially sensitive information from system memory. The root cause lies in improper memory access, which leads to unauthorized information disclosure on vulnerable devices. Google addressed this zero-day vulnerability in its April 2025 Android Security Update and noted that it may have been subjected to limited, targeted exploitation. This vulnerability has also been added to the CISA KEV catalog recently, emphasizing the urgency for immediate remediation. Android users are strongly advised to apply security updates promptly as released by their device manufacturers to mitigate the risk of active exploitation.

CVE-2024-53197  

An Out-of-Bounds Access Vulnerability in the Linux Kernel's USB-audio driver poses a significant security risk, enabling an attacker with physical access to the system to exploit a malicious USB device. With a high CVSS Score of 7.8, this vulnerability can be leveraged to manipulate system memory, potentially leading to privilege escalation or arbitrary code execution. Amnesty International revealed that CVE-2024-53197 was one of three vulnerabilities (CVE-2024-50302 and CVE-2024-53104 being the other two) chained together to compromise the Android device of a Serbian youth activist in December 2024. The release of the latest patch has fully closed this exploit chain leveraged as a zero-day, effectively neutralizing a sophisticated intrusion method used in real-world targeted surveillance. This vulnerability has also been added to the CISA KEV catalog, underscoring the urgency for organizations to apply the necessary security updates without delay.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-22457

A critical security vulnerability recently disclosed in Ivanti, CVE-2025-22457, affects multiple products including Ivanti Connect Secure (ICS), Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. Frist observed in exploitation during mid-March 2025, the flaw enables attackers to initiate a buffer overflow and deploy a sophisticated attack chain. According to Mandiant, this vulnerability has been exploited by UNC5221 threat group - a suspected China-nexus espionage actor known for targeting edge devices and leveraging zero-day vulnerabilities. The exploitation facilitated the deployment of new and existing malware, including TRAILBLAZE (an in-memory dropper), BRUSHFIRE (a passive backdoor), and components of the SPAWN malware ecosystem.  

The attack sequence involved process reconnaissance, memory injection, encrypted shellcode via SSL hooks, and log manipulation using SPAWNSLOTH. Further stealth is maintained through encrypted component concealment using SPAWNSNARE and SPAWNWAVE, reflecting UNC5221's continued evolution and emphasis on evasion and persistence.

‍CVE-2025-29824

Microsoft Threat Intelligence reported the active exploitation of zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, that allowed attackers to escalate privileges and deploy ransomware payloads on targeted systems. The activity was attributed to Storm-2460, a financially driven threat actor group associated with the PipeMagic backdoor and RansomEXX ransomware campaigns. Targets spanned multiple sectors including IT and real estate in the United States, finance in Venezuela, a software firm in Spain, and the retail sector in Saudi Arabia. Although the initial access vector remained unclear, the attackers reportedly used the certutil utility to retrieve malware from a previously compromised legitimate third-party website. After exploiting the vulnerability, they injected a malicious payload into winlogon.exe, which subsequently leveraged Sysinternals procdump.exe to dump LSASS process memory and extract user credentials, highlighting a methodical and credential-focused post-exploitation technique.

‍CVE-2024-11859

According to Kaspersky, ToddyCat advanced persistent threat (APT) group was observed exploiting a DLL search order hijacking vulnerability - CVE-2024-11859 in ESET's antivirus software to covertly execute malicious payloads on compromised systems. This vulnerability allows attackers with administrative access to load a malicious Dynamic Library Link (DLL) and execute an arbitrary code. This issue was reported by Kaspersky to ESET several months prior to its public disclosure on April 4. Kaspersky's analysis revealed that the malware deployed by ToddyCat, dubbed as TCESB Malware, was designed to operate stealthily, disabling security alerts and kernel-level notification mechanisms in Windows. The malware leveraged preloaded data to determine the appropriate kernel memory location to target tailored to specific Windows versions.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/04/09/cisa-adds-two-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/04/08/cisa-adds-two-known-exploited-vulnerabilities-catalog  
3. https://www.cisa.gov/news-events/alerts/2025/04/04/cisa-adds-one-vulnerability-kev-catalog
4. https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/  
5. https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/  
6. https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability  
7. https://source.android.com/docs/security/bulletin/2025-04-01  
8. https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/