Cyble Vulnerability Intelligence researchers tracked 1,128 vulnerabilities in the last week, more than 138 already have a publicly available Proof-of-Concept (PoC), significantly raising the chances of real-world attacks. 

A total of 67 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 22 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-55754 is an Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Successful exploitation could potentially lead to indirect administrative command execution through console manipulation, risking system integrity and confidentiality if administrators are tricked into executing malicious commands. 

CVE-2025-59287 continues to attract the interest of threat actors on underground forums monitored by Cyble, and last week CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued a separate alert on the Microsoft out-of-band security update. The critical remote code execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS) could allow unauthenticated attackers to execute arbitrary code remotely by exploiting publicly accessible WSUS servers on default TCP ports, potentially enabling lateral movement within enterprise environments. 

Other vulnerabilities added to the CISA KEV catalog in the last week include: 

• CVE-2025-54236, also known as “SessionReaper,” is a critical vulnerability affecting Adobe Commerce and Magento Open Source platforms. The flaw stems from improper input validation in the Commerce REST API, potentially allowing remote unauthenticated attackers to hijack customer accounts and, under some configurations, achieve remote code execution (RCE). 

• CVE-2025-41244, a local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools. A local threat actor with non-administrative privileges, with access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled, could potentially exploit the vulnerability to escalate privileges to root on the same VM. 

• CVE-2025-24893, a code injection vulnerability affecting the XWiki Platform. Any guest can perform arbitrary remote code execution through a request to ‘SolrSearch,’ impacting the confidentiality, integrity, and availability of the entire XWiki installation. Cyble first detected attack attempts on the vulnerability in March. 

One of the week’s highest-rated vulnerabilities is, fortunately, one that was fixed for users. CVE-2025-59503 is a 9.9-rated Server-Side Request Forgery (SSRF) vulnerability affecting the Microsoft Azure Compute Resource Provider, specifically the Azure Compute Gallery, that could have allowed an authorized attacker to perform SSRF attacks. The issue has been fixed by Microsoft, which had not detected any attacks on the vulnerability as of the time of publication. 

CVE-2025-55315 is generating significant interest in open-source communities. The 9.9-rated vulnerability in ASP.NET Core, specifically in the Kestrel web server component, involves an inconsistent interpretation of HTTP requests, leading to HTTP request/response smuggling. This flaw could allow an authorized attacker to bypass security features over a network by smuggling an extra HTTP request inside another, potentially enabling actions that would normally require authentication. 

Vulnerabilities Under Discussion on Underground Forums 

Cyble dark web researchers observed threat actors on the dark web and underground forums discussing weaponizing multiple vulnerabilities. They include: 

CVE-2025-61984: A vulnerability in OpenSSH (versions prior to 10.1) related to command injection via the ProxyCommand feature when an attacker is able to supply a specially crafted username containing control characters (such as a newline followed by a payload). This could lead to remote code execution on the client system in a specific scenario. 

CVE-2025-40778: A high-severity vulnerability affecting BIND 9 DNS resolvers, widely used open-source DNS software. The flaw arises because BIND 9 is too lenient under certain conditions when accepting records in DNS responses, potentially allowing remote, unauthenticated attackers to inject forged DNS records into the resolver’s cache via cache poisoning attacks. This could enable attackers to redirect Internet traffic to malicious sites, distribute malware, intercept network traffic, or disrupt services by supplying attacker-controlled DNS responses. 

CVE-2025-30247: A critical OS command injection vulnerability affecting Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms. The vulnerability could allow remote attackers to execute arbitrary system commands via a specially crafted HTTP POST request to the device’s web interface, without requiring authentication or user interaction. 

CVE-2025-9242: A critical out-of-bounds write vulnerability affecting WatchGuard Fireware OS, specifically the iked process that handles IKEv2 VPN services. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code on vulnerable devices, potentially leading to full system compromise. 

CVE-2025-49844: Also known as “RediShell,” a critical remote code execution (RCE) vulnerability in the Redis in-memory data store. It is a use-after-free memory corruption bug affecting Redis versions with Lua scripting (up to version 8.2.1). This vulnerability could allow an authenticated user to send a specially crafted Lua script that manipulates the garbage collector and triggers a use-after-free condition, potentially enabling the attacker to escape the Lua sandbox and execute arbitrary native code on the host system. 

ICS Vulnerabilities 

Cyble vulnerability researchers also flagged three industrial control system (ICS) vulnerabilities at risk of exploitation. They include: 

CVE-2025-9574, a 9.9-rated Missing Authentication for Critical Function vulnerability affecting ASKI Energy’s ALS-mini-s4 IP (serial number from 2000 to 5166) and ALS-mini-s8 IP (serial number from 2000 to 5166). Successful exploitation of the vulnerability could allow an attacker to gain full control over the device. 

CVE-2025-58428, a Command Injection vulnerability affecting Veeder-Root TLS4B versions prior to 11.A. The 9.9-rated flaw could allow an attacker to achieve remote command execution, full shell access, and potential lateral movement within the network. 

CVE-2024-11737, a 9.3-rated Improper Input Validation vulnerability affecting Schneider Electric Modicon Controllers M241 (versions prior to 5.2.11.29), Modicon Controllers M251 (versions prior to 5.2.11.29), Modicon Controllers M258 (versions prior to 5.0.4.19), and Modicon Controllers LMC058 (versions prior to 5.0.4.19). The flaw could allow an attacker to achieve remote command execution, full shell access, and potential lateral movement within the network. 

Conclusion 

The high number of critical and exploited vulnerabilities this week highlights the need for security teams to be able to respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.