In the weekly vulnerability report, Cyble identified several IT and industrial control system (ICS) vulnerabilities that pose significant risk and should be prioritized by security teams for patching or mitigation.

The reports examined nearly 60 vulnerabilities in all, and also looked at vulnerabilities discussed by threat actors on the dark web and attack attempts detected by Cyble honeypot sensors.

Here are some of the highest-priority fixes identified by Cyble vulnerability intelligence researchers.

IT Vulnerabilities: Windows CLFS, Apache, and More

Among the high-priority IT vulnerabilities flagged by Cyble was CVE-2025-29824, a high-severity, actively exploited zero-day vulnerability in the Microsoft Windows Common Log File System (CLFS) driver. It is a use-after-free flaw that allows local privilege escalation – meaning an attacker with access to a compromised system can gain SYSTEM-level privileges. The Play ransomware gang has reportedly exploited the vulnerability to gain SYSTEM privileges and deploy malware on compromised systems. Play was the most active ransomware group targeting the U.S. in April, with 42 claimed victims.

CVE-2025-30065 is a 10.0-severity remote code execution (RCE) vulnerability in the Apache Parquet Java library, specifically the parquet-avro module, affecting versions up to and including 1.15.0. The vulnerability allows attackers to execute arbitrary code on systems that process specially crafted Parquet files. This can potentially compromise data pipelines and analytics environments, especially if files from untrusted sources are ingested. Additionally, a proof-of-concept exploit tool has been publicly released for the flaw, making it even more possible for attackers to exploit it.

CVE-2025-27007 is a critical privilege escalation vulnerability affecting the OttoKit WordPress plugin (formerly known as SureTriggers), developed by Brainstorm Force. The vulnerability allows remote, unauthenticated attackers to create administrator accounts on vulnerable WordPress sites, potentially leading to full site compromise. Furthermore, the flaw is reportedly actively exploited in the wild, with mass exploitation observed since early May 2025.

Cyble Sensor Detections

Cyble honeypot sensors detected attack attempts against more than 30 vulnerabilities last week. Among the targeted vulnerabilities were:

CVE-2025-1316: A critical Remote Code Execution (RCE) vulnerability in Edimax IC-7100  cameras that has also been added to CISA’s Known Exploited Vulnerability (KEV) catalog. Improper input validation could allow attackers to send specially crafted requests, which can lead to remote code execution on the device.

CVE-2025-32433: A 10.0-severity Missing Authentication for Critical Function vulnerability in Erlang/OTP, a set of libraries for the Erlang programming language. In versions before OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, an SSH protocol message handling vulnerability could allow an attacker to execute arbitrary code remotely without authentication. This flaw enables unauthenticated remote code execution (RCE), potentially granting unauthorized access and control over affected systems.

CVE-2024-21136: A high-severity Remote Access vulnerability in Oracle Retail Xstore Office (versions 19.0.5, 20.0.3, 20.0.4, 22.0.0, and 23.0.1) that could allow unauthenticated attackers with HTTP access to gain unauthorized access to sensitive data. Exploitation may also affect other Oracle Retail products due to a scope change.

CVE-2024-7593: An Authentication Bypass vulnerability in Ivanti Virtual Traffic Manager (vTM) that could allow a remote, unauthenticated attacker to bypass admin panel authentication due to a flawed implementation of the authentication algorithm.

Dark Web Exploits Observed by Cyble

Cyble threat intelligence researchers observed several threat actors sharing exploits and discussing vulnerabilities on underground and cybercrime forums. Among the vulnerabilities discussed were:

CVE-2025-32432: A critical remote code execution (RCE) vulnerability in Craft CMS, affecting versions 3.0.0 to 5.6.16. A deserialization flaw in the asset transform generation feature could potentially allow an unauthenticated attacker to send crafted POST requests that enable them to upload malicious PHP files and execute arbitrary code.

CVE-2025-21756: A high-severity vulnerability in the Linux kernel’s vsock (Virtual Socket) subsystem could lead to a use-after-free condition due to improper handling of socket bindings during transport reassignment. This flaw occurs because the kernel fails to preserve socket bindings until socket destruction, allowing the socket to be accessed after it has been freed. Specifically, the issue arises from incorrect reference counting and removal of socket bindings in functions like vsock_create(), vsock_insert_unbound(), vsock_remove_bound(), and vsock_bind(), which can result in memory corruption and system instability.

CVE-2025-34028: A 10.0-severity path traversal vulnerability in Commvault Command Center Innovation Release (versions 11.38.0 to 11.38.19) that could potentially allow unauthenticated remote attackers to upload malicious ZIP files. When these ZIP files are decompressed on the server, they can lead to remote code execution (RCE) by exploiting a pre-authenticated ServerSide Request Forgery (SSRF) in the “deployWebpackage.do” endpoint, enabling execution of malicious .JSP files. The vulnerability is also in CISA’s KEV catalog.

ICS Vulnerabilities

Cyble also highlighted several critical and high-severity vulnerabilities in industrial control systems (ICS) in a separate report to clients. Among the ICS vulnerabilities flagged by Cyble were:

CVE-2025-4041: a 9.3-severity Use of Hard-coded Credentials vulnerability in Optigo Networks ONS NC600 devices running versions 4.2.1-084 through 4.7.2-330. Cyble said the vulnerability “is particularly notable for its critical severity and potential to disrupt Critical Manufacturing operations. … As this device supports multiple core functions—including acting as a switch, router, firewall, and remote access unit—it introduces a substantial risk to the security and reliability of industrial network communications.”

CVE-2025-35975 and CVE-2025-36521 are high-severity vulnerabilities in MicroDicom DICOM Viewer versions 2025.1 (Build 3321) and prior, which are commonly used in Healthcare and Public Health environments. These vulnerabilities involve out-of-bounds write and read conditions and pose serious risks such as information disclosure, memory corruption, and potential arbitrary code execution. Cyble said the risk “is further elevated by the discovery of vulnerable software instances exposed online, which substantially raises the potential for remote exploitation in active healthcare environments.”

Conclusion

The ever-present threat of vulnerabilities – and malicious actors poised to exploit them – underscores the importance of cybersecurity best practices and good cyber hygiene, which can help guard against a wide range of threats.

Those practices include comprehensive, risk-based vulnerability management, segmentation of critical assets, removal or protection of web-facing assets, Zero-Trust access principles, ransomware-resistant backups, hardened endpoints, infrastructure, and configurations, network, endpoint, and cloud monitoring, and well-rehearsed incident response plans.

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization.

To access all Cyble reports, click here.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.