Cyble vulnerability intelligence researchers have discovered new vulnerabilities through its expansive global network of honeypot sensors. These sensors emulate vulnerable systems, effectively luring attackers and exposing their tactics in real time. Cyble’s latest sensor intelligence report reveals a sharp spike in exploit attempts, malware campaigns, and brute-force attacks targeting diverse systems worldwide.

This week’s intelligence highlights a rise in attacks on the Internet of Things (IoT) devices alongside traditional enterprise infrastructure. Malware variants like Mirai and Gafgyt, infamous for their role in IoT botnets, remain active threats. Cyble’s sensors also noted persistent exploitation attempts against core enterprise components, including Telerik UI libraries and Cisco ASA firewalls.

Critical IT and IoT Vulnerabilities Under Active Exploitation

Cyble’s analysis spotlighted 17 critical vulnerabilities actively scanned or exploited during the week. These vulnerabilities span consumer devices, industrial-grade security appliances, and software tools, illustrating the broad attack surface facing organizations today.

Among the most notable are: 

• Command Injection in Blink Routers (CVE-2025-45985): Certain Blink router models, including BL-WR9000 V2.4.9 and BL-AC2100_AZ3 V1.0.4, suffer from a command injection flaw via the bs_SetSSIDHide function. This vulnerability allows attackers to execute arbitrary system commands remotely, risking complete device takeover and potential network infiltration.

• XML External Entity (XXE) Vulnerability in GeoServer and GeoTools (CVE-2025-30220): A flaw in the Eclipse XSD library causes improper XML schema handling, enabling attackers to read arbitrary files or trigger denial-of-service attacks. Patches have been issued.

• Memory Overread in Citrix NetScaler Gateway (CVE-2025-5777): This vulnerability leaks sensitive memory content due to poor input validation. Given NetScaler’s role as a VPN and authentication server, the flaw could expose confidential data in remote access environments.

• Reflected Cross-Site Scripting (XSS) in Palo Alto Networks GlobalProtect (CVE-2025-0133): The captive portal is vulnerable to reflected XSS attacks via crafted URLs, potentially facilitating phishing by injecting malicious scripts into user browsers.

• Remote Code Execution in GeoServer (CVE-2024-36401): This critical flaw allows unauthenticated attackers to execute arbitrary code through unsafe evaluation of OGC request parameters. Default installations are vulnerable unless patched or configured appropriately.

• Time-Based SQL Injection in VICIdial (CVE-2024-8503): The call center software is susceptible to SQL injection without authentication. The risk is magnified by default storage of plaintext credentials, raising concerns over credential theft. 

• Authentication Bypass in Ivanti Virtual Traffic Manager (CVE-2024-7593): A flawed authentication mechanism permits attackers unauthorized admin access, potentially compromising system integrity. 

• Authentication Bypass via Swagger-UI in AJ-Report (CVE-2024-7314): By appending “;swagger-ui” to HTTP requests, attackers can remotely execute arbitrary Java code, controlling the application environment. 

• OS Command Injection in Raisecom MSG Devices (CVE-2024-7120): Public exploit code exists for this vulnerability, allowing attackers to execute arbitrary commands remotely, potentially taking full device control. 

• Command Injection in AVTECH IP Cameras (CVE-2024-7029): Elevated privilege command injection flaws compromise device and network security. 

Additional vulnerabilities include PHP CGI argument injection (CVE-2024-4577), information disclosure in D-Link DNS products (CVE-2024-3274), unauthenticated SQL injection in Icegram Express WordPress plugin (CVE-2024-2876), and Mirai botnet exploits targeting Dasan GPON routers. 

High-Volume Attack Attempts and Legacy Threats 

Cyble’s sensors recorded over 544,000 attempts targeting the Treck TCP/IP stack vulnerability (CVE-2020-11899). Similarly, vulnerabilities in Wind River’s VxWorks TCP/IP stack and the infamous Apache Log4j2 (CVE-2021-44228) and Microsoft BlueKeep (CVE-2019-0708) remain prominent attack vectors, particularly against unpatched systems. 

New Malware Campaigns 

The report details several high-profile malware strains observed this week: 

• CoinMiner Linux Malware: A Trojan that stealthily hijacks CPU and GPU resources on Linux systems to mine cryptocurrency, degrading performance and inflating operational costs. Spread often occurs through secondary infections and malicious downloads. 
• WannaCry Ransomware: Despite its 2017 origin, WannaCry remains active. Exploiting the EternalBlue SMB vulnerability (CVE-2017-0147), it encrypts files and demands Bitcoin ransoms. Cyble detected nearly 250 samples this week. 
• Linux Mirai Botnet: Mirai variants continue to target IoT devices, forming botnets used for Distributed Denial of Service (DDoS) attacks and cryptomining, now frequently bundled with CoinMiner payloads. 
• Linux IRCBot: Operating through IRC channels, IRCBot malware enables attackers to control infected Linux systems remotely, maintaining its presence in the threat landscape. 

Phishing and Brute Force Attacks 

Phishing campaigns persist as a favorite tactic for credential theft and malware distribution. Attackers impersonate trusted entities like banks, government agencies, or well-known companies to trick victims. Typical lures include fake prize notifications, inheritance scams, urgent delivery alerts, and fraudulent investments.  

Brute-force attacks also remain widespread. Cyble noted a high volume of attempts targeting common usernames such as “admin,” “root,” and “postgres” paired with weak passwords like “123456.” These attempts focus on IT automation tools, databases, and servers running Ubuntu, Hadoop, Oracle, and Sonar software.  

Underground Forums and Exploit Sharing 

Cyble’s monitoring of underground forums and Telegram channels revealed threat actors actively sharing and weaponizing vulnerabilities such as: 

• Fortinet FortiOS Authentication Bypass (CVE-2024-55591): Allows unauthenticated attackers super-admin access via crafted requests. 

• Google Chrome V8 Engine Type Confusion (CVE-2025-6554): A critical zero-day enabling remote arbitrary read/write operations. 

• SUSE Linux PAM Privilege Escalation (CVE-2025-6018): Enables unprivileged SSH users to escalate privileges. 

• Sudo Local Privilege Escalations (CVE-2025-32462 and CVE-2025-32463): Exploited via flawed sudo options to gain root access. 

• Wing FTP Server Remote Code Execution (CVE-2025-47812): Allows unauthenticated Lua code injection. 

• Cisco Unified Communications Manager Root Access (CVE-2025-20309): Exploits hardcoded credentials to grant full root privileges. 

Recommendations for Defenders 

• Maintain rigorous patch management to address both new and legacy vulnerabilities. 

• Deploy advanced network monitoring and intrusion detection to identify and respond to threats swiftly. 

• Educate users about phishing risks and enforce strong password policies. 

• Apply Zero Trust principles and segmentation to limit attack surface exposure. 

• Regularly review and secure network ports and access points. 

Conclusion 

The surge in high-risk vulnerabilities and exploitation attempts this week reinforces the reality that cybersecurity teams cannot afford to let their guard down. A risk-based vulnerability management program remains essential, but it won’t stop zero-day threats on its own. To strengthen their defenses, organizations must also implement layered cybersecurity strategies such as network segmentation, Zero Trust access models, ransomware-resistant backups, hardening of endpoints and infrastructure, continuous monitoring across cloud, network, and endpoint layers, and routinely tested incident response plans. 

Cyble’s comprehensive attack surface management solutions enhance these defenses by scanning both cloud and on-premises assets for potential exposures, prioritizing remediation based on risk, and continuously monitoring for leaked credentials and other early indicators of compromise. These proactive measures provide organizations with the situational awareness needed to stay ahead of today’s rapidly evolving threat landscape. 

Get a free external threat profile for your organization today and take a critical step toward reducing cyber risk. 

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.