Sign up for this weekly newsletter
SubscribeA new Ivanti exploitation
From mid-March, the Chinese state actor UNC5221 has been exploiting an Ivanti vulnerability (CVE-2025-22457), affecting the Connect Secure, Policy Secure and ZTA Gateways products. Exploitation apparently occurred against legacy systems in which the vendor’s patch couldn’t be applied and, in any case, patches for Ivanti ZTA Gateways and Policy Secure will not be released until April 19 and 21 respectively. Ivanti, that first claimed that the flaw is not exploitable, now admits that exploitation is possible “through sophisticated means”. More than 5K Internet-facing Ivanti devices remain vulnerable globally.
A threat actor credited for reporting vulnerabilities
Microsoft has credited a third party named SkorikARI for reporting two vulnerabilities - without knowing that SkorikARI serves as a nickname for the infamous threat actor EncryptHub. The flaws are a Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability (CVE-2025-24061) and a File Explorer Spoofing Vulnerability (CVE-2025-24071). EncryptHub is a Ukrainian lone wolf hacker who emerged in March 2024 and since then have compromised more than 600 organizations. It has been recently observed exploiting the “MSC EvilTwin” vulnerability in Microsoft Management Console (CVE-2025-26633).
Exploiting a flaw in ESET antivirus
TodyCat is exploiting a vulnerability in in ESET antivirus (CVE-2024-11859) to execute payloads on compromised devices while evading detection. The flaw, patched last January, allows an attacker with admin privileges to load malicious DLL. Furthermore, in post-compromise stage, the threat actor also used a vulnerability in Dell drivers (CVE-2021-36276) to elevate to kernel-level permissions. TodyCat is a Chinese APT who was particularly active in between 2020 and 2022. It is known for targeting government and defense organizations in Asia and Europe for data theft purposes.
A Windows CLFS zero-day used by a ransomware group
A ransomware group named Storm-2460 has exploited a zero-day in the Windows Common Log File System (CLFS) kernel driver (CVE-2025-29824) in post-compromise stage for privilege escalation. Victims include American IT and real estate companies and others in Spain, Venezuela and Saudi Arabia. Not much is known about Storm-2460 but it is apparently a financially motivated group belonging to the RansomEXX family.
Mitigate it
Apply Microsoft Defender detections SilverBasket , MSBuildInlineTaskLoader.C and SuspClfsAccess
ChushFTP flaw now under active exploitation
Following a controversy about CVE assignment, the recently disclosed CrushFTP vulnerability (CVE-2025-2825/ CVE-2025-31161) is now under active exploitation and leveraged to deploy a backdoor and gain persistent access. At least four organizations from the marketing, retail, and semiconductor sectors have been compromised. However, the number of detected exploitation attempts worldwide seems to decrease.
Mitigate it
Block access from IP addresses 172.235.144[.]67 and 2.58.56[.]16
Another file sharing system targeted
Threat actors have exploited a vulnerability in Gladinet Triofox (CVE-2025-30406), another file sharing and remote access platform for enterprise. The flaw is the result of a hardcoded machineKey in the IIS web.config file, and it allows attackers to pass integrity checks.
Mitigate it
Rotate the machineKey and follow Gladinet’s instructions to create a secure and unique one.
Clop exposes many high-profile companies
The infamous Russian cybercrime group Clop continues to expose high profile companies it compromised in its recent Cleo exploitation campaign. Among the victims are the food giant Kellogg Co, the car rental Hertz, Chicago Public Schools, Western Alliance Bank, Walmart’s subsidiary Sam’s Club and the cloud computing services provider Rackspace. In late 2024, Clop conducted an exploitation campaign leveraging two vulnerabilities in the file sharing Cleo software(CVE-2024-50623, CVE-2024-55956).
NIST de-prioritizes pre-2018 vulnerabilities
NIST decided to mark pre-2018 CVEs as “deferred”. The new status is aimed at de-prioritizing old vulnerabilities, even though NIST affirmed that it will still update information about these CVEs, if requested. It is assessed that around one third of vulnerabilities, equivalent to 100K CVEs, are assigned with a CVE ID prior to 2018. NIST’s decision follows growing delays in clearing CVE backlogs partly due to a 32% increase in enrichment requests in 2024.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
