Cyble’s network of honeypot sensors has detected dozens of attack attempts on vulnerabilities in the last week. 

The sensors are part of Cyble’s Threat Hunting service that uses a suite of tools to capture real-time attack data, including exploit attempts, malware intrusions, financial fraud, and brute-force attacks. Cyble’s findings are also summarized in a weekly Sensor Intelligence report to clients. 

What follows are 12 vulnerabilities that Cyble has detected active attack attempts on, plus an additional 10 vulnerabilities under attack by ransomware groups that Cyble threat intelligence researchers detailed in a separate report to clients. The reports serve as useful guidance for security teams when prioritizing patching and mitigation. 

Vulnerabilities Targeted by Threat Actors 

Cyble honeypot sensors have detected attack attempts on the following vulnerabilities, in addition to other exploit attempts. 

CVE-2025-49493 affects Akamai CloudTest before version 60, 2025.06.02 (12988), and could allow file inclusion through XML External Entity injection. 

DELMIA Apriso (Release 2020 through Release 2025) contains a deserialization vulnerability, CVE-2025-5086, that may allow an attacker to execute code remotely. The vulnerability recently became a rare addition of an ICS/OT vulnerability to CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2025-48827 affects vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 on PHP 8.1 or later. It could allow unauthenticated users to invoke protected API controller methods, as observed in real-world exploits in May 2025. 

CVE-2025-45985 is a command injection vulnerability in multiple Blink router models, including BL-WR9000 V2.4.9, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5, BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0, and BL-X26_DA3 v1.2.7, specifically through the bs_SetSSIDHide function. 

CVE-2025-4427 is an authentication flaw in the API of Ivanti Endpoint Manager Mobile versions up to 12.5.0.0. This vulnerability potentially enables unauthorized access to protected resources without requiring valid authentication. It is also in CISA’s KEV catalog. 

CVE-2025-4009 is an arbitrary command injection issue in the Evertz SDVN 3080ipx-10G management interface that could expose devices to remote code execution and disruption of media services 

CVE-2025-32432 is a a remote code execution vulnerability in Craft CMS in versions 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17. 

CVE-2025-31161 is an authentication bypass flaw affecting the crushadmin account in CrushFTP versions 10 (prior to 10.8.4) and 11 (prior to 11.3.1). The vulnerability stems from a race condition in the AWS4-HMAC authorization method used by the server’s HTTP component.  

This flaw could allow attackers to bypass authentication by exploiting how the server verifies user existence without requiring a password. The issue can be further stabilized using a crafted AWS4-HMAC header, enabling reliable unauthorized access to any known or guessable user account. Successful exploitation can lead to full system compromise, especially if a DMZ proxy instance is not in use.  The vulnerability is in CISA’s KEV catalog. 

CVE-2025-29306 is a code injection vulnerability in FoxCMS v1.2.5 that could potentially allow remote attackers to execute arbitrary code via the case display page in index.html. 

CVE-2025-20188 is a Use of Hard-coded Credentials vulnerability in Cisco IOS XE Software for Wireless LAN Controllers that could allow unauthenticated attackers to use a hard-coded JSON Web Token (JWT) to upload files and execute arbitrary root commands. The vendor has released fixes and mitigation guidance. 

CVE-2025-47812 is an Improper Neutralization of Null Byte or NUL Character vulnerability in Wing FTP Server before 7.4.4. Mishandling of ‘\0’ bytes in Wing FTP Server before 7.4.4 could allow attackers to inject arbitrary Lua code into user session files and run arbitrary commands as the FTP service account. 

CVE-2025-54782 is a Command Injection and Cross-Site Request Forgery vulnerability in NestJS versions 0.2.0 and below in the @nestjs/devtools-integration package. Unsafe evaluation in the /inspector/graph/interact endpoint could allow arbitrary code execution through crafted JSON input. 

Vulnerabilities Weaponized by Ransomware Groups 

Cyble threat intelligence researchers also included a list of vulnerabilities exploited by ransomware groups in Cyble’s August 2025 ransomware report to clients. The vulnerabilities, gathered through Cyble observation and OSINT sources, include: 

• CVE‑2025‑53770 – Deserialization of untrusted data in on-premises Microsoft SharePoint Server – has been targeted by Storm-2603/4L4MD4r ransomware variant 

• CVE‑2024‑40766 – an improper access control vulnerability in SonicWall SonicOS management access – has been targeted by Akira 

• CVE‑2024‑23692 – a template injection vulnerability in Rejetto HTTP File Server – has been targeted by an unknown ransomware group 

• CVE-2025-7771 in ThrottleStop.sys has been targeted by MedusaLocker 

• CVE‑2025‑8088 – a path traversal vulnerability affecting the Windows version of WinRAR – has been targeted by RomCom (also tracked as Storm‑0978, Tropical Scorpius, UNC2596) in addition to other threat activities 

• CVE-2025-29824 – a use after free vulnerability in Windows Common Log File System – has been targeted by DriverStorm-2460 (RansomExx) with deployment of the PipeMagic backdoor framework 

• CVE-2025-31324 and CVE-2025-42999 – in SAP NetWeaver Visual Composer Metadata Uploader – has been targeted in combination by Scattered Spider 

• CVE-2023-46604 – in the Java OpenWire protocol marshaller – was previously exploited by several ransomware groups and is now exploited by an unknown group that deploys DripDropper Linux malware 

• CVE-2025-24472 – in FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 – has been targeted by INC Ransom 

Conclusion 

The 22 vulnerabilities listed here should be high-priority fixes by security teams if they haven’t been patched or mitigated already, and a risk-based vulnerability management program should be at the heart of every organization’s cyber defenses. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.  

Get a free external threat profile for your organization today.