Cyble’s latest report reveals a significant increase in exploit attempts, malware campaigns, and brute-force attacks targeting IoT devices and enterprise systems worldwide. Critical vulnerabilities across various devices and software remain actively exploited, highlighting the need for rigorous patching and comprehensive security measures. #Mirai #CoinMiner #WannaCry #CVE-2025-45985 #CVE-2025-30220
Keypoints
- Cyble’s honeypot sensors detected a sharp rise in attacks on IoT devices and enterprise infrastructure globally.
- Seventeen critical vulnerabilities were actively scanned or exploited, including command injection, RCE, and authentication bypass flaws.
- Notable vulnerabilities affect Blink Routers, GeoServer, Citrix NetScaler, Palo Alto Networks GlobalProtect, and others.
- Legacy vulnerabilities like Treck TCP/IP stack (CVE-2020-11899), Apache Log4j2 (CVE-2021-44228), and BlueKeep (CVE-2019-0708) remain heavily targeted.
- High-profile malware strains such as Mirai, CoinMiner, WannaCry, and IRCBot continue to operate and evolve.
- Phishing and brute-force attacks persist with attackers targeting common usernames and weak passwords on key IT systems.
- Threat actors actively share and weaponize vulnerabilities on underground forums and Telegram channels.
MITRE Techniques
- [T1059] Command Injection – Exploited in Blink Routers via the bs_SetSSIDHide function allowing arbitrary system commands (“…command injection flaw via the bs_SetSSIDHide function enables attackers to execute arbitrary system commands remotely…”).
- [T1190] Exploit Public-Facing Application – GeoServer vulnerable to unauthenticated Remote Code Execution exploiting unsafe parameters (“…critical flaw allows unauthenticated attackers to execute arbitrary code through unsafe evaluation of OGC request parameters…”).
- [T1078] Valid Accounts – Authentication bypass in Ivanti Virtual Traffic Manager and Swagger-UI in AJ-Report permits unauthorized access (“…flawed authentication mechanism permits attackers unauthorized admin access…”,”…appending ‘;swagger-ui’ to HTTP requests enables remote arbitrary Java code execution…”).
- [T1046] Network Service Scanning – Sensors recorded over 544,000 attempts targeting known vulnerabilities like Treck TCP/IP stack and others (“…sensors recorded over 544,000 attempts targeting the Treck TCP/IP stack vulnerability…”).
- [T1110] Brute Force – High volume of brute-force attempts on common usernames and weak passwords targeting IT automation tools and databases (“…high volume of attempts targeting common usernames such as ‘admin,’ ‘root,’ and ‘postgres’ paired with weak passwords…”).
- [T1566] Phishing – Persistent phishing campaigns impersonating trusted entities with various social engineering lures (“…phishing campaigns persist as a favorite tactic for credential theft and malware distribution…”).
- [T1086] PowerShell / Scripting – Weaponized Lua code injection in Wing FTP Server allows unauthenticated remote code execution (“…Wing FTP Server Remote Code Execution allows unauthenticated Lua code injection…”).
Indicators of Compromise
- [File Hashes] Malware samples – nearly 250 WannaCry ransomware samples detected this week.
- [CVE Identifiers] Active vulnerabilities – CVE-2025-45985 (Blink Routers command injection), CVE-2025-30220 (GeoServer XXE), CVE-2025-5777 (Citrix NetScaler memory overread), CVE-2024-36401 (GeoServer RCE), and CVE-2024-8503 (VICIdial SQL injection).
- [Software/Devices] Targeted products – Blink Routers BL-WR9000 V2.4.9, BL-AC2100_AZ3 V1.0.4; Palo Alto Networks GlobalProtect; Cisco ASA firewalls; Raisecom MSG devices; AVTECH IP Cameras.
- [Usernames] Brute-force targets – “admin,” “root,” “postgres” frequently attacked with weak passwords like “123456”.
Read more: https://cyble.com/blog/weekly-iot-and-it-vulnerabilities/