Cybersecurity researchers at Cyble have revealed 22 vulnerabilities currently being exploited by threat actors, with nine of them missing from the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

In its latest blog post, Cyble explained that twelve of the vulnerabilities were flagged by its honeypot sensors after detecting real-world attack attempts. Out of these twelve, only four are listed in CISA’s KEV catalog.

The report also highlights 10 vulnerabilities actively abused by ransomware groups. Interestingly, nine of those have already made it into CISA’s KEV catalog, with just one — CVE-2025-7771 in ThrottleStop.sys — standing out as an exception. This flaw has reportedly been exploited by the MedusaLocker ransomware group.

Adding to the urgency, SolarWinds today rolled out a hotfix addressing CVE-2025-26399 in SolarWinds Web Help Desk. The flaw bypasses patches for CVE-2024-28988, which itself was a patch bypass for CVE-2024-28986. Since CVE-2024-28986 is already part of the KEV catalog, experts warn the new 9.8 CVSS-rated vulnerability could quickly attract attention from attackers.

Cyble researchers documented 12 vulnerabilities under active attack, including:

• CVE-2025-49493 – Akamai CloudTest (before version 60, 2025.06.02)

• CVE-2025-5086 – DELMIA Apriso (Release 2020–2025), recently added as a rare ICS/OT flaw in the KEV catalog

• CVE-2025-48827 – vBulletin 5.0.0–5.7.5 and 6.0.0–6.0.3 on PHP 8.1+

• CVE-2025-45985 – Multiple Blink router models

• CVE-2025-4427 – Ivanti Endpoint Manager Mobile up to 12.5.0.0 (in KEV catalog)

• CVE-2025-4009 – Evertz SDVN 3080ipx-10G management interface

• CVE-2025-32432 – Craft CMS 3.0.0-RC1 to <3.9.15, 4.0.0-RC1 to <4.14.15, 5.0.0-RC1 to <5.6.17

• CVE-2025-31161 – CrushFTP 10 (before 10.8.4) and 11 (before 11.3.1), listed in KEV

• CVE-2025-29306 – FoxCMS v1.2.5

• CVE-2025-20188 – Cisco IOS XE Software for Wireless LAN Controllers

• CVE-2025-47812 – Wing FTP Server (before 7.4.4), also in KEV

• CVE-2025-54782 – NestJS versions 0.2.0 and below in @nestjs/devtools-integration

Cyble’s threat intelligence division also identified 10 vulnerabilities exploited by ransomware groups, tracked via open-source intelligence and internal monitoring. Notable cases include:

• CVE-2025-53770 – Microsoft SharePoint Server, exploited by Storm-2603

• CVE-2024-40766 – SonicWall SonicOS, targeted by Akira

• CVE-2024-23692 – Rejetto HTTP File Server, targeted by an unknown group

• CVE-2025-8088 – WinRAR for Windows, exploited by RomCom (Storm-0978 / Tropical Scorpius / UNC2596)

• CVE-2025-29824 – Windows Common Log File System, abused by RansomExx (Storm-2460)

• CVE-2025-31324 and CVE-2025-42999 – SAP NetWeaver Visual Composer Metadata Uploader, exploited in tandem by Scattered Spider

• CVE-2023-46604 – Java OpenWire protocol marshaller, linked to Linux malware Drip Dropper

• CVE-2025-24472 – FortiOS 7.0.0–7.0.16, FortiProxy 7.2.0–7.2.12 / 7.0.0–7.0.19, exploited by INC Ransom

According to Cyble, these vulnerabilities “should be high-priority fixes by security teams if they haven't been patched or mitigated already, and a risk-based vulnerability management program should be at the heart of every organization's cyber defenses.”