Attack attempts picked up by Cyble Sensors’ honeypots highlight threat actors’ resourcefulness and the need for strong security defenses.

Cyble’s honeypot sensors have detected attack attempts on product vulnerabilities from SAP and Ivanti, among other vulnerabilities targeted this week.

The sensors, part of Cyble’s Threat Hunting service, capture real-time attack data, including exploit attempts, malware intrusions, financial fraud, and brute-force attacks. Cyble’s weekly Sensor Intelligence report to clients also detailed numerous malware attacks such as CoinMiner Linux, WannaCry, Linux Mirai Coin Miner, Linux IRCBot, and Android Coin Hive Miner.

Also, this week, Cyble Vulnerability Intelligence researchers flagged high-risk IT and industrial control system (ICS) vulnerabilities for security teams to prioritize.

Here are some highlights from those reports.

Cyble Sensors Detect SAP, Ivanti Exploit Attempts

Here are a few of the dozens of vulnerabilities targeted in exploit attempts detected by Cyble sensors this week.

SAP NetWeaver Visual Composer Metadata Uploader is affected by a critical security flaw, designated as CVE-2025-31324, due to missing authorization controls, which could allow unauthenticated users to upload malicious binaries that could compromise the host system. The flaw has been patched (sign-in required).

An authentication flaw, identified as CVE-2025-4427, in the API of Ivanti Endpoint Manager Mobile versions up to 12.5.0.0 could allow unauthorized access to protected resources without requiring valid authentication.

Cyble vulnerability researchers also highlighted the SAP and Ivanti vulnerabilities in last week’s report.

CrushFTP versions 10 (prior to 10.8.4) and 11 (prior to 11.3.1) are vulnerable to an authentication bypass flaw affecting the crushadmin account. The vulnerability (CVE-2025-31161) stems from a race condition in the AWS4-HMAC authorization method used by the server’s HTTP component. The flaw could allow attackers to bypass authentication by exploiting how the server verifies user existence without requiring a password. The issue can be further stabilized using a crafted AWS4-HMAC header, potentially enabling unauthorized access to any known or guessable user account. Successful exploitation can lead to full system compromise, especially if a DMZ proxy instance is not in use.

Cyble sensors also detected attack attempts on a pair of vulnerabilities in Vite Dev Server, a frontend tooling framework for JavaScript. CVE-2025-31125 could allow unintended exposure of restricted file contents via specific query parameters. The flaw only affects apps that make the Vite dev server publicly accessible using –host or server.host. CVE-2025-30208 could allow the @fs file access restriction to be bypassed by appending specially crafted query parameters such as ?raw?? or ?import&raw??.

The vulnerability arises due to incorrect handling of trailing characters in the query string, potentially enabling attackers to access files outside the allowed path. The issue affects versions before 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10, and only impacts servers exposed to the network.

IT and ICS Vulnerabilities Examined

Cyble vulnerability researchers examined 17 IT and ICS vulnerabilities this week, including six under discussion by threat actors on dark web forums, and flagged four as meriting high-priority attention by security teams.

CVE-2025-47949 affects all versions of the samlify Node.js library prior to version 2.10.0. Samlify is widely used for implementing SAML 2.0 Single Sign-On (SSO) in enterprise applications. The flaw could potentially allow attackers to forge SAML authentication responses, bypassing login protections and impersonating any user, including administrators.

CVE-2023-39780 is a high-severity vulnerability affecting ASUS RT-AX55 routers running firmware version 3.0.0.4.386.51598. The flaw could allow authenticated attackers to perform operating system (OS) command injection via the /start_apply.htm endpoint, specifically through the qos_bw_rulelist parameter. Attackers could execute arbitrary commands on the device, potentially gaining administrative control or launching further attacks on the network. Recently, researchers disclosed that attackers have exploited this vulnerability in a widespread and stealthy botnet campaign, compromising over 9,000 ASUS routers and enabling persistent, unauthorized access to the affected devices.

Rockwell Automation’s FactoryTalk Historian ThingWorx (95057C-FTHTWXCT11: Versions v4.02.00 and prior) is vulnerable to a 2018 Apache log4net vulnerability involving Improper Restriction of XML External Entity (XXE) Reference. This remotely exploitable vulnerability, which requires low attack complexity, could allow attackers to execute XXE-based attacks by leveraging malicious log4net configuration files, potentially leading to data exposure or further compromise. The risk is further intensified by Cyble researchers’ observation of internet-facing instances of the affected product, underscoring the need for immediate mitigation efforts.

Johnson Controls’ iSTAR Configuration Utility (ICU), a key element in managing physical access and integrating with CCTV systems, is deployed across sectors such as energy, transport, critical manufacturing, and government. A recently disclosed vulnerability, CVE-2025-26383, could be exploited to leak memory from the ICU, potentially exposing sensitive data related to access control operations. Given the ICU’s central role in safeguarding restricted areas, such an exposure could pose a significant risk to the integrity and confidentiality of physical security environments.

Conclusion

The wide range of IT and ICS vulnerabilities highlighted this week shows the creativity and resourcefulness of threat actors. These vulnerabilities require equal commitment from security teams charged with defending IT and critical infrastructures. A risk-based vulnerability management program should be at the heart of those defensive efforts.

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets, removing or protecting web-facing assets, Zero-Trust access principles, ransomware-resistant backups, hardened endpoints, infrastructure, and configurations, network, endpoint, and cloud monitoring, and well-rehearsed incident response plans.

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes. They can also monitor for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.