The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.
Additional insights and contributions provided by the F5 Threat Campaigns team.
Introduction
Welcome to this month's installment of the Sensor Intel Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data, looking at data from February of 2025.
Top 10 Scanned Review
CVE-2017-984: PHPUnit Remote Code Execution
Back in June 2024 we saw huge volumes of scanning for a PHPUnit Remote Code Execution vulnerability, CVE-2017-9841. We see large volumes of scanning again this month in February 2025. Not quite to the same scale, but similarly from many disparate geolocations and from a large number of IP addresses. Surely by now, anyone with such an old PHPUnit bug has been compromised many times over by this point.
If you're using PHP you can run phpunit --version. If it's in the range >=5.0.10, <5.6.3 or >=4.8.19, <4.8.28 you might just want to go ahead and roll incident response at this point.
CVE-2023-1389: P-Link Archer AX21 Remote Code Execution
Interest in exploiting the TP-Link Archer AX21 Remote Code Execution vulnerability (CVE-2023-1389) holds steady, although CVE-2017-9841 bumps it from the most-exploited #1 spot. If you or friends and family have TP-Link routes at home, consider walking them through the official TP-Link guidelines for getting it patched. However, it's unclear whether this patch process would evict an already present adversary. So better yet would be to make a gift of a secure replacement router to your friend or family member.
Companies with remote working employees may want to take the TP-Link RCE more seriously, as there’s a potential for exploitation to pivot through into employee laptops and on into corporate infrastructure. There are no reported cases of this happening to date, but you may still want to act proactively to ensure that your employee edge devices aren’t vulnerable.
CVE-2024-3721: TBK DVR Remote Code Execution
Exploitation attempts of TBK DVR devices are back in the top 10 with CVE-2024-3721. Unlike TP-Link routers, these are not consumer devices. If your organization has these devices on its edge, you'd do well to replace them and, again, look for signs of compromise. Chances are that's easier said than done as asset inventory is a notoriously hard problem to solve robustly - sorry!
Recon vs Single-Stage Exploits
This month we looked into the exploit payloads of the top 10 CVEs and classified each payload as either reconnaissance or as an immediate single-stage exploit attempt. As our sensors do not give feedback to reconnaissance efforts, we aren’t making a distinction between recon that would result in a follow-up exploitation vs. more benign recon. Table 1 shows the breakdown.
| CVE | # Single-Stage Exploits | % Single-Stage Exploits | # Total Exploits |
| CVE-2017-9841 | 443 | 1.1% | 38,339 |
| CVE-2023-1389 | 9 | 0.1% | 5,061 |
| CVE-2024-3721 | 3,655 | 100% | 3,655 |
| CVE-2020-11625 | 0 | 0% | 3,150 |
| CVE-2022-24847 | 0 | 0% | 2,275 |
| CVE-2022-22947 | 0 | 0% | 1,855 |
| CVE-2019-9082 | 7 | 0.4% | 1,716 |
| CVE-2024-4577 | 0 | 0% | 1,442 |
| CVE-2022-42475 | 0 | 0% | 1,115 |
| CVE-2020-8958 | 0 | 0% | 854 |
As we can see, single-stage requests for a CVE typically make up 1% of incoming requests, and some CVEs see no single-stage requests at all. This is most easily explained by the nature of the CVE, only CVEs that can directly result in Remote Code Execution in a single step can show up as single-stage in this data.
The percentage of single-stage requests shifts dramatically when a CVE is being actively exploited by a noisy botnet. Mirai variants accounted for 100% of all exploitation attempts of CVE-2024-3721. Amongst the payloads we found a Mirai variant named “hide.arm7”. Static analysis of this file, which was not stripped of symbols and included debugging information, showed many method names common with the Mirai “Beastmode” variant. We obtained this sample from hxxp://154.18.239.232/hide/hide.arm7. For further information, please see the Appendix section below.
Of minor interest were exploitation attempts using CVE-2017-9841, with a number of relatively unsophisticated attacks. This is likely due to the accessibility of PHP payloads for threat actors breaking into the scene. One actor has been using the same stager payloads in pastebin since 2021 [link]. The stager payload we observed has some 2000 hits according to pastebin’s own statistics. As they say, it’s not dumb if it works.
February Vulnerabilities by the Numbers
Figure 1 shows February traffic for the top ten CVEs that we track. As we described earlier, CVE-2017-9841 dominates activity for the month. See the next section “Targeting Trends” for an easier to understand view using a logarithmic scale in Figure 3.
Targeting Trends
Figure 2 is a bump plot showing the change in traffic volume and position over the last twelve months. We can see that while CVE-2017-9841 has seen pronounced activity this month, June’s spike in activity was even more pronounced. Growth continued for CVE-2024-3721, as well as for CVE-2020-11625. CVE-2023-1389 has seen significant variation looking back to fall through summer of 2024, but saw no significant change in activity in recent months.
Figure 2. Evolution of vulnerability targeting in the last twelve months. Pronounced activity in CVE-2017-9841 that is still dwarfed by the June 2024 spike.
Long Term Trends
Figure 3 shows traffic for the top 20 CVEs by all-time traffic, followed by a monthly average of the remaining CVEs.
Several CVEs had significant upticks in volume this month, of which CVE-2017-9841 is the most notable. CVE-2019-9082 has broken from its otherwise downward trend, CVE-2022-47945 has seen revived interest, and CVE-2024-4577 has continued its upward trend. The biggest falloff in volume was by CVE-2023-23752. Time will tell if this falloff is the beginning of a downward trend here.
Figure 3. Evolution of vulnerability targeting in the last twelve months. This view accentuates the recent changes in CVE acvitity, of which CVE-2017-9841 is the most notable.
Conclusions
Most CVEs saw upward trends in volume this month. Exploitation of PHPUnit was back at the #1 spot for activity, and Mirai continues to exploit TBK DVRs. We recommended Enterprises consider taking action to replace TP-Link routers in use by remote working employees. Finally, we saw that in general 1% of exploitation requests are single-stage exploits and explained the nuance to this statistic.
Appendix: Details on Mirai Variants
Further analysis of the website at hxxp://154.18.239.232 found several more platform specific compilations of the same Mirai variant. All of these were submitted to VirusTotal. Of the variants, the .x86 and .spc versions had been submitted previously. The checksums of the other platform variants are listed below, and can be used to view the VirusTotal analyses.
URL: (defanged) hxxp://154.18.239.232
This IP is in the netblock 154.18.239.0/24 which is registered to Cogent, and then to UltaHost, a global hosting provider. This particular netblock is registered with an address of Jurong, Singapore.
By loading the url hxxp://154.18.239.232/hide/ we were able to get a directory listing which included several versions of the malware we had observed being fetched.
The files were all timestamped 2025-02-26 22:29.
