Cyble vulnerability intelligence researchers tracked 905 vulnerabilities in the last week, and more than 30 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood that those vulnerabilities may face real-world attacks. 

A total of 54 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 35 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers as meriting high-priority attention by security teams, including vulnerabilities under discussion by threat actors and three 10.0-severity vulnerabilities in airport weather systems. 

The Week’s Top IT Vulnerabilities 

CVE-2025-12531 is a critical Improper Restriction of XML External Entity Reference vulnerability in IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6, which a remote attacker could exploit to expose sensitive information or consume memory resources. 

CVE-2025-34294 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Wazuh’s File Integrity Monitoring (FIM). When configured with automatic threat removal, Wazuh contains a TOCTOU race condition that could potentially be exploited for SYSTEM-level arbitrary file or folder deletion and local privilege escalation. 

CVE-2025-12599 is a 10.0-severity cryptographic vulnerability related to the use of hard-coded cryptographic keys in Azure Access Technology’s BLU-IC2 and BLU-IC4 devices through 1.19.5. 

CVE-2025-48703 is a critical remote code execution vulnerability in CentOS Web Panel (CWP) that could potentially allow an unauthenticated attacker who knows a valid non-root username to execute arbitrary commands on the server. The vulnerability has a high impact and is actively exploited, affecting over 200,000 servers worldwide. It was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog this week. 

CVE-2025-41244 is a high-severity local privilege escalation zero-day vulnerability in VMware Tools and VMware Aria Operations that was also added to the CISA KEV catalog this week. A malicious local actor with non-administrative privileges with access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled could potentially escalate privileges to root on the same VM. 

CVE-2025-59287 continues to generate discussion by security researchers and threat actors, and Cyble honeypot sensors have detected attack attempts on the critical remote code execution vulnerability in Microsoft’s Windows Server Update Services (WSUS). Remote unauthenticated attackers could potentially execute arbitrary code with SYSTEM privileges by exploiting unsafe deserialization of AuthorizationCookie objects. 

CVE-2023-20198 is attracting renewed attention because of an Australian Signals Directorate warning that threat actors are targeting unpatched Cisco devices. The critical vulnerability in the web UI of Cisco IOS XE software could allow a remote, unauthenticated attacker to create an account on the device and gain full administrator privileges, effectively taking full control of the system. The vulnerability affects a large number of internet-exposed Cisco devices. 

Vulnerabilities Discussed on Underground Forums 

Cyble dark web researchers observed several threat actors discussing weaponizing vulnerabilities on cybercrime and underground forums. Vulnerability exploits under discussion include: 

CVE-2025-64095: A critical vulnerability affecting DNN (formerly DotNetNuke), an open-source web content management platform in the Microsoft ecosystem. The flaw exists in the default HTML editor provider in versions prior to 10.1.1. It could allow unauthenticated users to upload files and overwrite existing files without authorization or validation. This can lead to website defacement and potentially enable the injection of cross-site scripting (XSS) payloads when combined with other vulnerabilities. 

CVE-2025-52665: A critical security vulnerability affecting Ubiquiti Inc.’s UniFi Access Application versions 3.3.22 through 3.4.31. The flaw arises from a misconfiguration that exposes a management API without proper authentication, potentially allowing a malicious actor with access to the management network to exploit it. The flaw could enable unauthenticated remote code execution (RCE), potentially allowing attackers to manipulate door access controls, retrieve sensitive information, or gain full control over affected devices. The vulnerability impacts the confidentiality, integrity, and availability of physical access control systems. 

CVE-2025-50168: A high-severity type confusion vulnerability in the Windows Win32K – ICOMP component. This vulnerability could allow an authorized attacker with local access and low privileges to escalate their privileges by causing the system to access a resource using an incompatible type. The flaw lies in the improper validation of user-supplied data, leading to this type of confusion condition. 

CVE-2024-38077: A critical vulnerability found in the Windows Remote Desktop Licensing Service, which poses a significant risk by potentially allowing remote code execution (RCE) on multiple affected Windows Server systems. 

CVE-2025-6440: A critical vulnerability in the WooCommerce Designer Pro plugin for WordPress, specifically affecting all versions up to and including 1.9.26. This flaw could allow unauthenticated attackers to upload arbitrary files, including executable scripts, to a website’s server, potentially leading to remote code execution and full site compromise. 

ICS Vulnerabilities 

Cyble researchers also highlighted critical industrial control system (ICS) vulnerabilities in Survision and Radiometrics products. 

Radiometrics VizAir Versions prior to 08/2025 are affected by three 10.0-severity vulnerabilities (CVE-2025-61945, CVE-2025-54863 and CVE-2025-61956). The Insufficiently Protected Credentials and Missing Authentication for Critical Function vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions. 

CVE-2025-12108 is a critical Missing Authentication for Critical Function vulnerability affecting Survision License Plate Recognition LPR Camera. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code.  

Conclusion 

The wide range of vulnerable cyber and physical systems covered in this week’s report highlights the vast challenges confronting security teams, who must be able to respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.  

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.  

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

Stay ahead of threats with Cyble’s Attack Surface Management. 

Schedule a Personalized Demo and see how Cyble helps you defend smarter.