Cyble researchers detailed 22 vulnerabilities under active attack in a blog post today – and nine of them aren’t in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Twelve of the vulnerabilities in the Cyble blog were targeted by attack attempts picked up by the company’s honeypot sensors. Of the 12, only four are in CISA’s KEV catalog.
Cyble also detailed 10 vulnerabilities under attack by ransomware groups; nine of those are in the KEV catalog.
And new vulnerabilities are discovered every day, of course. News broke today of a SolarWinds hotfix for a new CVE (CVE-2025-26399) in SolarWinds Web Help Desk that is a patch bypass of CVE-2024-28988, which itself is a patch bypass of CVE-2024-28986. As CVE-2024-28986 is in CISA’s KEV catalog, the new 9.8-rated CVE may well draw the attention of threat actors.
A Dozen Vulnerabilities Under Attack
Cyble detailed 12 vulnerabilities that its honeypot sensors have detected attack attempts on:
- CVE-2025-49493 in Akamai CloudTest before version 60, 2025.06.02 (12988)
- CVE-2025-5086 in DELMIA Apriso (Release 2020 through Release 2025) – which recently became a rare addition of an ICS/OT vulnerability to the KEV catalog
- CVE-2025-48827 in vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 on PHP 8.1 or later
- CVE-2025-45985 in multiple Blink router models
- CVE-2025-4427 in Ivanti Endpoint Manager Mobile versions up to 12.5.0.0; it is also in CISA’s KEV catalog.
- CVE-2025-4009 in the Evertz SDVN 3080ipx-10G management interface
- CVE-2025-32432 in Craft CMS versions 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17
- CVE-2025-31161 in CrushFTP versions 10 (prior to 10.8.4) and 11 (prior to 11.3.1); the vulnerability is in CISA’s KEV catalog
- CVE-2025-29306 in FoxCMS v1.2.5
- CVE-2025-20188 in Cisco IOS XE Software for Wireless LAN Controllers
- CVE-2025-47812 in Wing FTP Server before 7.4.4; also in the CISA KEV catalog
- CVE-2025-54782 in NestJS versions 0.2.0 and below in the @nestjs/devtools-integration package.
Vulnerabilities Exploited by Ransomware Groups
Cyble threat intelligence researchers also listed 10 vulnerabilities exploited by ransomware groups, gathered from Cyble observation and OSINT sources. Only one isn’t in the KEV catalog – CVE-2025-7771 in ThrottleStop.sys, which has reportedly been targeted by MedusaLocker.
The other vulnerabilities under attack, and the ransomware groups exploiting them, include:
- CVE‑2025‑53770 in on-premises Microsoft SharePoint Server has been targeted by Storm-2603
- CVE‑2024‑40766 in SonicWall SonicOS management access has been targeted by Akira
- CVE‑2024‑23692 in Rejetto HTTP File Server has been targeted by an unknown ransomware group
- CVE‑2025‑8088 in the Windows version of WinRAR has been targeted by RomCom (also tracked as Storm‑0978, Tropical Scorpius, UNC2596)
- CVE-2025-29824 in the Windows Common Log File System has been targeted by DriverStorm-2460 (RansomExx)
- CVE-2025-31324 and CVE-2025-42999 in SAP NetWeaver Visual Composer Metadata Uploader have been targeted in combination by Scattered Spider
- CVE-2023-46604 in the Java OpenWire protocol marshaller has been exploited by several ransomware groups and is now being targeted by an unknown group deploying DripDropper Linux malware
- CVE-2025-24472 in FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 has been targeted by INC Ransom.
Cyble said the vulnerabilities ”should be high-priority fixes by security teams if they haven’t been patched or mitigated already, and a risk-based vulnerability management program should be at the heart of every organization’s cyber defenses.”
