Sign up for this weekly newsletter
SubscribeCommvault exploitation part of a large campaign against Saas
CISA claims that the ongoing attacks targeting the recently disclosed Commvault vulnerability (CVE-2025-3928) are part of a larger campaign compromising “various SaaS companies’ cloud applications with default configurations and elevated permissions”. A state actor has been exploiting the flaw since February, first as a zero-day, to hack Azure environments. Commvault offers data protection, storage and recovery solutions.
Mitigate it
Block access from 108.69.148[.]100, 128.92.80[.]210, 184.153.42[.]129, 108.6.189[.]53, 154.223.17[.]243 and 159.242.42[.]20
Dragonforce chains RRM flaws in a supply chain attack
DragonForce has chained three vulnerabilities in the Remote Monitoring and Management (RMM) tool SimpleHelp (CVE-2024-57726/7/8) in a supply chain attack that compromised an undisclosed Managed Service Provider. Last April, the same flaws were already part of a campaign led by the Chinese Storm-1175 (aka UNC5604) which deployed the Medusa ransomware. Originally a Malaysia-based hacktivist group, DragonForce has recently evolved into one of the most prolific ransomware gangs worldwide after it successfully incorporated other groups’ affiliates (such as RansomHub’s). It is known for its recent attacks on large British retailers.
A sophisticated campaign targeting a Confluence flaw
In sophisticated multi-stage attacks from late 2024, a threat actor deploying the ElPaco ransomware exploited a vulnerability in Internet-facing Confluence servers (CVE-2023-22527) for initial access. The group then quickly assured persistence and gained SYSTEM permissions, even though attempts to elevate privileges via the exploitation of Zerologon (CVE-2020-1472) and PrintNightmare (CVE-2021-34527) apparently failed. The Confluence vulnerability has been massively exploited in 2023 and 2024 by various cybercrime actors. ElPaco is a variant of Mimic ransomware that emerged recently and primarily targets Windows systems.
Mitigate it
Block access from 45.227.254[.]124, 91.191.209[.]46
Chinese exploitation of GIS-based tool
A Chinese state actor named Bronze Silhouette (aka UAT-6382) is targeting local governments in the US by exploiting a vulnerability in the geolocation software Cityworks (CVE-2025-0994). The deserialization flaw allows remote code execution in Microsoft Internet Information Services (IIS) web servers. The campaign was initiated last January while the vulnerability was disclosed and patched in February.
Ivanti EPMM vulnerabilities exploited by state actors
The Chinese state actor UNC5221 is behind the campaign chaining two Ivanti EPMM vulnerabilities (CVE-2025-4427/8), allowing to bypass authentication and perform RCE. The flaws were exploited to exfiltrate operational information, together with data providing visibility into managed devices. The campaign targets various sectors such as aviation, defense, finance, local government, healthcare, and telecommunications. Among the victims are a large German telecom organization, an American weapon manufacturer and a Korean multinational bank.
Mitigate it
Filter access to the API using either the built in Portal ACLs functionality or an external WAF
Craft CMS exploited again
A Turkish threat actor nicknamed Mimo is exploiting a vulnerability in Craft Content Management System (CVE-2025-32432) for initial access. Multiple payloads are consequently deployed, including a proxyware and a cryptominer. In the past, Mimo led cryptomining campaigns using other known vulnerabilities, such as in log4j, Confluence, PaperCut and Apache MQ.
Mitigate it
Apply SonicWall IPS rules 20950 and 20951
Cisco routers hijacked by a botnet
The Chinese botnet ViciousTrap has hijacked over 5,300 devices through the exploitation of a vulnerability in Cisco Small Business routers (CVE-2023-20118). The campaign apparently originated in a single IP address. In parallel, ASUS routers were also compromised.
Mitigate it
Block access from 101.99.91[.]151
A flaw in freshly released Windows Servers 2025
Concerns were raised after the disclosure of a privilege escalation vulnerability in Windows Server 2025’s delegated Managed Service Account (dMSA) – a new feature aimed at facilitating migration from legacy service accounts. The exploitation, considered trivial, might result in the compromise of any user in Active Directory. In 91% of examined environments, non-admin users were found able to exploit the flaw. However, Microsoft tagged the vulnerability with medium severity, claiming that exploitation requires prior permissions on the dMSAobject.
NVD will be audited
The US government launched an audit of the National Vulnerability Database (NVD), focusing on NIST’s procedure to add or update vulnerability entries. The initiative follows the significant backlog which delayed vulnerability enrichment efforts in 2024. NIST assured it is currently working on improving management processes and automating data analysis tasks by utilizing AI models.
Mitigate it
Mitigate it
Sources
