Overview

Cyble’s vulnerability intelligence unit examined 26 vulnerabilities in recent reports to clients and also investigated 14 vulnerability exploits claimed by threat actors on the dark web.

Cyble identified eight vulnerabilities that security teams should prioritize for fixes, including vulnerabilities affecting Windows, macOS, OpenSSH, PAN-OS, and Citrix NetScaler. Here are some highlights from those reports.

The Top IT Vulnerabilities

Here are the eight vulnerabilities highlighted by Cyble researchers for priority patching and mitigation.

CVE-2024-34331: This critical vulnerability found in Parallels Desktop for Mac is due to a lack of code signature verification, which allows attackers to escalate privileges via a crafted macOS installer. The emergence of two recent public exploit codes has raised the profile of this vulnerability, and the Parallels Service, with setuid root privileges, potentially offers attackers elevated system access, making it a significant concern.

CVE-2025-24101: This vulnerability in macOS versions prior to macOS Sequoia 15.3 could allow malicious applications to potentially access sensitive user data due to inadequate redaction mechanisms.

CVE-2025-21420: This 7.8 severity elevation of privilege vulnerability affects the Windows Disk Cleanup Tool and arises from insufficient input validation. It enables malicious code execution and allows attackers to gain higher system privileges, potentially compromising sensitive data or installing malware.

CVE-2025-0108, CVE-2025-0111, and CVE-2024-9474: These vulnerabilities in Palo Alto Networks’ PAN-OS pose significant security risks. CVE-2025-0108 allows unauthenticated attackers to bypass authentication for the management web interface, while CVE-2025-0111 enables authenticated users to read sensitive files on the system. CVE-2024-9474 is a privilege escalation vulnerability that allows administrators to execute commands with root privileges. Recently, researchers observed that CVE-2025-0111 is now being chained in attacks with CVE-2025-0108 and CVE-2024-9474 to breach PAN-OS firewalls in active attacks. All three vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

CVE-2025-26465: This critical vulnerability in OpenSSH could allow attackers to conduct man-in-the-middle (MitM) attacks when the VerifyHostKeyDNS option is enabled. This option is designed to enhance security by verifying server host keys through DNS, but if activated, it can be exploited by an attacker to impersonate a legitimate server and bypass the client’s identity checks. Cyble has detected more than 19 million internet-facing instances that are potentially exposed to this vulnerability (chart below).

CVE-2024-12284: This 8.8 severity vulnerability affecting Citrix’s NetScaler Console and NetScaler Agent could allow authenticated attackers to execute commands without proper authorization due to inadequate privilege management. Specifically, it requires the attacker to have existing access to the NetScaler Console, which limits the attack surface primarily to authenticated users.

Vulnerability Exploits on Underground Forums

These are some of the exploits Cyble dark web researchers observed under discussion by threat actors on cybercrime and underground forums.

CVE-2025-0366: A high-severity vulnerability affecting the Jupiter X Core plugin for WordPress. The vulnerability allows for Local File Inclusion (LFI) and can lead to Remote Code Execution (RCE) in all versions up to 4.8.7.

CVE-2024-49138: A critical vulnerability affecting the Windows Common Log File System (CLFS) driver, identified as an Elevation of Privilege (EoP) vulnerability due to a heap-based buffer overflow. This flaw allows attackers to escalate their privileges to the SYSTEM level without user interaction, posing significant risks to Windows systems.

CVE-2025-24472: A high-severity authentication bypass vulnerability affecting Fortinet’s FortiOS and FortiProxy products could allow remote attackers to gain super-admin privileges by sending specially crafted Cooperative Security Fabric (CSF) proxy requests.

CVE-2025-24016: An unsafe deserialization vulnerability affecting Wazuh servers, an open-source unified XDR and SIEM platform, could be exploited by an attacker injecting an unsanitized dictionary into DAPI requests or responses, potentially leading to arbitrary Python code execution.

Cyble also observed a threat actor (TA) claiming to offer a zero-day exploit weaponizing a vulnerability present in multiple versions of VMware ESXi that could allow an attacker to escape from the sandbox to the host on VMware ESXi. The TA has quoted a price of USD $150,000 for the exploit.

Cyble Recommendations

To protect against these vulnerabilities and exploits, Cyble recommends that organizations implement the following best practices:

• Regularly update all software and hardware systems with the latest patches from official vendors.
• Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
• Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
• Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
• Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
• Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
• Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

Security teams should prioritize actively exploited vulnerabilities—and those at high risk of exploitation—when determining their patching efforts. They should also consider other indicators of risk, such as web exposure and data and application sensitivity.

Implementing strong security practices is essential for protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats, exposures, and leaks specific to your environment, giving you the ability to respond quickly to events before they become more significant incidents.

To access complete IT vulnerability and other reports from Cyble, click here.

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.