New Insights on Active Vulnerabilities: A Closer Look at Recent Threats

Cybersecurity continues to be a pressing issue, with new vulnerabilities emerging regularly. Recently, Cyble researchers published findings on 22 vulnerabilities currently under active attack, with a notable portion not included in the CISA’s Known Exploited Vulnerabilities (KEV) catalog. This highlights the dynamic nature of cybersecurity threats and the importance of staying informed.

Overview of Active Vulnerabilities

According to the latest report from Cyble, 12 vulnerabilities have been identified through the company’s honeypot sensors as being targeted in attack attempts. Out of these, only four vulnerabilities are part of CISA’s KEV catalog, showcasing a critical gap in existing threat awareness.

Key Vulnerabilities of Interest

The list of 12 active vulnerabilities includes:

• CVE-2025-49493: A vulnerability in Akamai CloudTest before version 60, 2025.06.02.
• CVE-2025-5086: Related to DELMIA Apriso, spanning Releases 2020 through 2025; it’s a rare ICS/OT vulnerability now categorized in KEV.
• CVE-2025-48827: Found in vBulletin versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3 running on PHP 8.1 or later.
• CVE-2025-45985: This vulnerability impacts multiple models of Blink routers.
• CVE-2025-4427: Present in Ivanti Endpoint Manager Mobile, versions up to 12.5.0.0, and included in the KEV catalog.
• CVE-2025-4009: Concerns the Evertz SDVN 3080ipx-10G management interface.
• CVE-2025-32432: Affects Craft CMS from versions 3.0.0-RC1 to before 3.9.15 and various other releases.
• CVE-2025-31161: Found in CrushFTP versions prior to 10.8.4 and 11.3.1, listed in the KEV catalog.
• CVE-2025-29306: Engaged in FoxCMS v1.2.5.
• CVE-2025-20188: Associated with Cisco IOS XE Software for Wireless LAN Controllers.
• CVE-2025-47812: Present in Wing FTP Server before version 7.4.4, also noted in the KEV catalog.
• CVE-2025-54782: Concerns NestJS versions 0.2.0 and below via the @nestjs/devtools-integration package.

Ransomware Attacks Heightening Risk

In addition to the vulnerabilities reported via honeypots, Cyble identified 10 vulnerabilities currently exploited by various ransomware groups. Notably, only one of these vulnerabilities is not included in the KEV catalog—CVE-2025-7771, which has been associated with the notorious MedusaLocker ransomware.

Vulnerabilities Under Ransomware Threat

The following vulnerabilities have been highlighted in relation to ransomware activity:

• CVE-2025-53770: Targeted in Microsoft SharePoint Server by the Storm-2603 group.
• CVE-2024-40766: Present in SonicWall SonicOS management systems, exploited by the Akira group.
• CVE-2024-23692: Affected the Rejetto HTTP File Server, targeted by an unidentified ransomware group.
• CVE-2025-8088: Found in WinRAR for Windows, being targeted by RomCom.
• CVE-2025-29824: Present in the Windows Common Log File System, targeted by DriverStorm-2460 (associated with RansomExx).
• CVE-2025-31324 and CVE-2025-42999: Both exploited in the SAP NetWeaver Visual Composer Metadata Uploader by Scattered Spider.
• CVE-2023-46604: Exploited by various ransomware groups via the Java OpenWire protocol marshaller.
• CVE-2025-24472: Found in FortiOS and FortiProxy, targeted by the INC Ransom group.

Urgent Call for Mitigation

Cyble emphasizes that organizations must prioritize addressing these vulnerabilities. The necessity for a comprehensive risk-based vulnerability management program is crucial to fortifying an organization’s cyber defenses. As new vulnerabilities emerge and threats evolve, proactive measures are key to maintaining security integrity.

These ongoing challenges in cybersecurity underline the importance of constant vigilance and rapid response from security teams worldwide. As vulnerabilities continue to surface, the potential for exploitation remains a pressing concern for businesses across all sectors.