ConnectWise directly targeted

Last November, a state actor successfully infiltrated ConnectWise's own networks via a RCE vulnerability in ScreenConnect (CVE-2025-3935), compromising information about a few customers. The flaw, requiring prior privileges, allows attackers to perform ViewState code injection attacks, effectively enabling RCE on ScreenConnect servers. ConnectWise is a well-known company offering remote monitoring, security and CRM solutions to assist IT support teams.  In 2024, ScreenConnect’s SlashAndGrab vulnerability (CVE-2024-1709) has already been widely exploited against various organizations globally.

‍

A Chinese group targeting SQLi flaws

A new paper uncovered Earth Lamia, a Chinese threat group targeting various vulnerabilities in Internet-facing assets and SQLi flaws in web applications. Among them are flaws in Apache Struts (CVE-2017-9805), GitLab (CVE-2021-22205), TeamCity (CVE-2024-27198/9), Craft CMS (CVE-2024-56145), and the  SAP NetWeaver vulnerability (CVE-2025-31324) which has been recently exploited by numerous threat actors. Earth Lamia targets mostly organizations in Brazil and in Asian countries. After focusing in 2024 on the retail and logistics industries, it now seems to prefer IT companies, universities, and government entities.

ASUS vulnerabilities exploited while evading Trend Micro

An unidentified threat actor has been observed attempting to disable TrendMicro protections in ASUS routers, then exploiting three vulnerabilities in ASUS AiProtection features (including CVE-2023-39780) with the aim of taking control of the compromised devices. Since the group deployed its backdoor within ASUS settings rather than on disk, it remained persistent even after a patch was applied against the flaw that originally allowed access.

‍

[mitigate]Block access from 101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, 111.90.146[.]237[/mitigate]

‍

A rare exploitation of vBulletin

A few days after the publication of a PoC, exploitation attempts of critical RCE vulnerabilities in vBulletin (CVE-2025-48827/8) have been spotted. This is the first incident of exploitation of vBulletin flaws since 2020. vBulletin is a once-popular commercial forum software solution that allows users to create and manage online forums on their websites.

[mitigate]Monitor with Qualys QID 732555[/mitigate]

‍

Concerns around a critical Cisco IOS XE vulnerability

The disclosure of a CVSS 10/10 vulnerability in Cisco IOS XE (CVE-2025-20188) raises high concerns within the cybersecurity community. The flaw, that could be easily exploited via by crafted HTTPS requests to the Out-of-Band Access Point (AP) image download interface, might allow an attacker to get root privileges by overwriting a configuration file. Nonetheless, successful exploitation requires the Out-of-Band AP Image Download feature, providing automatic updates of wireless access points, to be enabled (by default, it is not). Cisco IOS XE for Wireless LAN Controllers is used by many organizations worldwide.

[mitigate]Disable the Out-of-Band AP Image Download feature[/mitigate]

‍

ChatGPT o3 found a zero-day

By utilizing OpenAi ChatGPT o3 model, researchers successfully discovered a zero-day in ksmbd (CVE-2025-37899), Linux kernel's Server Message Block (SMB) implementation. The zero-day was discovered unintentionally, while o3 was tested for spotting the Kerberos authentication vulnerability (CVE-2025-37778) in a file with 12,000 lines - which it did in only 1 out of 100 runs.

‍