Cybersecurity Insights (Jan 3–9, 2025)

1/10/20252 min read

Critical Vulnerabilities and Exploitation Trends

As we step into 2025, the cybersecurity landscape continues to evolve rapidly. This week highlights critical vulnerabilities, exploit activities, and emerging botnet threats that demand immediate attention.

Executive Summary

CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with four critical CVEs this week. Among them are vulnerabilities affecting Mitel products, Oracle systems, and a zero-day flaw in Ivanti. Furthermore, a critical weakness in KerioControl firewalls is actively exploited, emphasizing the urgency for robust patching protocols.

Botnet activity is surging. Threats like Zerobot are exploiting Tenda Wi-Fi router vulnerabilities, while Andoryu targets GitLab. Persistent IoT botnets such as IoT Reaper and AndroxGh0St continue to exploit outdated devices, underscoring the risks of unsupported infrastructure.

Highlighted Vulnerabilities:

  • CVE-2025-0282: A stack-based buffer overflow vulnerability in Ivanti Connect Secure allows unauthenticated attackers to execute arbitrary code.

  • CVE-2024-55550 & CVE-2024-41713: Path traversal vulnerabilities in Mitel MiCollab enable unauthorized file access.

  • CVE-2024-52875: One-click RCE in KerioControl firewalls, actively exploited globally.

  • CVE-2020-2883: A deserialization flaw in Oracle WebLogic Server remains a critical threat five years post-discovery.

Exploit Activities and Mass Scanning

Telemetry data reveals active exploitation of the following CVEs:

  1. CVE-2023-4966: NetScaler ADC/Gateway buffer overflow leading to information disclosure.

  2. CVE-2022-41040: SSRF vulnerability in Microsoft Exchange Server exploited in the wild.

  3. CVE-2021-41773: Apache HTTP Server path traversal flaw targeted by multiple threat actors.

Botnets on the Rise

Botnets continue leveraging vulnerabilities to expand their networks:

  • Gayfemboy: Exploiting a zero-day in Four-Faith routers, this botnet has grown into a 15,000-node network, amplifying Distributed Denial-of-Service (DDoS) capabilities.

  • Zerobot: Actively exploiting command injection vulnerabilities in Tenda routers.

  • Legacy Threats: Mirai and Tsunami exploit outdated modems, highlighting the danger of legacy devices.

Malware Exploitation

Sophisticated malware campaigns are targeting high-profile vulnerabilities:

  • CVE-2025-0282: Zero-day exploitation by the SPAWN malware ecosystem in Ivanti Connect Secure appliances, with strains like DRYHOOK and PHASEJAM observed.

  • CVE-2024-4577: OS command injection in PHP, used for injecting cryptocurrency miners.

Pre-NVD Vulnerabilities

Emerging threats not yet included in the National Vulnerability Database (NVD) include:

  • CVE-2024-12455: Denial of Service in Fedora 41's glibc.

  • CVE-2024-43771: Remote Code Execution in Google Android.

Takeaways for Organizations

  1. Prioritize Patching: Apply updates for vulnerabilities in CISA's KEV catalog immediately.

  2. Harden Defenses: Invest in robust endpoint protection and network security measures.

  3. Monitor Exploits: Keep abreast of emerging threats and actively monitor systems for signs of exploitation.

The threat landscape underscores the importance of proactive cybersecurity measures. Organizations must remain vigilant and adaptive to safeguard against these persistent and sophisticated threats.

Weekly Insights