In reports to clients last week, Cyble analyzed over 60 IT and industrial control system (ICS) vulnerabilities to identify high-priority fixes for security teams.

The vulnerabilities included 16 critical vulnerabilities and eight that were the target of exploits circulating on underground and dark web forums.

From the list, Cyble researchers identified nine IT vulnerabilities that can lead to system compromise, data breaches, and high-priority ICS vulnerabilities in Pixmeo DICOM and Hitachi Energy products.

Top IT Vulnerabilities

These are the nine high-priority IT vulnerabilities identified by Cyble vulnerability intelligence researchers.

CVE-2025-31324 is a 10.0-severity vulnerability affecting SAP NetWeaver’s Visual Composer component, specifically the Metadata Uploader function. Attackers could potentially send specially crafted HTTP POST requests to a vulnerable endpoint, uploading malicious files (often JSP web shells) to directories accessible via the web server. Once uploaded, these web shells could allow attackers to execute arbitrary operating system commands, maintain access, and further compromise the SAP environment.

The vulnerability has been actively exploited in the wild since at least late April 2025, with evidence of attacks targeting manufacturing and critical infrastructure sectors. Notably, Chinese nation-state threat actors have been linked to exploitation campaigns leveraging the vulnerability for espionage and persistent access, while recent reports indicate that the Russian ransomware group BianLian and the operators of the RansomEXX ransomware family have also been reported to exploit the flaw in their campaigns.

CVE-2025-42999 is a 9.1-severty vulnerability in the SAP NetWeaver Visual Composer Metadata Uploader component. It is classified as an insecure deserialization flaw and could potentially be exploited by a privileged user to upload malicious or untrusted content to the vulnerable endpoint.

CVE-2025-4427 and CVE-2025-4428 are medium- and high-severity vulnerabilities impacting Ivanti Endpoint Manager Mobile (EPMM), a comprehensive mobile device management (MDM) and endpoint security solution designed for enterprises to centrally manage and secure mobile devices, applications, and content across their organization. CVE-2025-4427 could allow attackers to access protected resources via the API without proper credentials, effectively bypassing authentication controls, while CVE-2025-4428 could allow remote attackers to execute arbitrary code on the server. Additionally, both flaws could be chained together, and successful exploitation could lead to unauthenticated remote code execution.

CVE-2025-32756 is a 9.8-severity stack-based buffer overflow vulnerability (CWE-121) affecting multiple Fortinet products, including FortiVoice, FortiNDR, FortiRecorder, and FortiCamera. Remote, unauthenticated attackers could potentially exploit the flaw by sending specially crafted HTTP requests – specifically, maliciously crafted cookies – to the affected device’s HTTP/HTTPS administrative interface.

CVE-2025-22462 is a 9.8-rated bypass vulnerability impacting on-premises deployments of Ivanti Neurons for IT Service Management (ITSM). The flaw could allow remote, unauthenticated attackers to gain full administrative access to affected systems through a low-complexity attack without needing valid credentials or prior access.

CVE-2025-3462 and CVE-2025-3463 are high- and critical-severity vulnerabilities in ASUS DriverHub, a utility for updating drivers on ASUS motherboards. CVE-2025-3462 stems from weak origin validation, potentially allowing attackers to bypass security checks by crafting malicious domains that mimic the official ASUS update site. CVE-2025-3463 involves improper certificate validation, potentially allowing untrusted sources to manipulate the update process. To exploit these flaws, an attacker could trick users into visiting a malicious website, which then sends forged requests to the local DriverHub service, causing it to silently download and execute malicious payloads with administrative privileges.

ICS Vulnerabilities

Of 31 ICS vulnerabilities examined by Cyble last week, flaws from Hitachi Energy and Pixmeo stood out.

The Pixmeo OsiriX MD vulnerabilities stand out due to their potential impact on the healthcare sector. OsiriX MD is a widely used DICOM viewer and medical image processing software deployed in hospitals and radiology centers for viewing, analyzing, and managing medical imaging data such as CT, MRI, and PET scans. Versions 14.0.1 (Build 2024-02-28) and earlier are vulnerable to critical issues, including Use After Free and Cleartext Transmission of Sensitive Information.

Successful exploitation of these flaws could allow an attacker to cause memory corruption, leading to a denial-of-service (DoS) condition that disrupts clinical operations or to credential theft, potentially granting unauthorized access to sensitive patient data or medical systems. Cyble researchers have identified publicly exposed OsiriX instances accessible over the internet, making them potentially attractive targets for attackers and raising concerns about healthcare data security and operational resilience.

Multiple critical and high-severity vulnerabilities have been identified in Hitachi Energy’s Service Suite, specifically affecting versions 9.8.1.3 and prior. Service Suite is a comprehensive software platform used in the energy sector to manage maintenance, engineering, and network systems operations. The disclosed CVEs include significant issues such as HTTP Request Smuggling, Use of Less Trusted Sources, Integer Overflows, Out-of-Bounds Access, and Sensitive Information Exposure.

These flaws could potentially lead to unauthorized access, data leakage, service disruption, or remote code execution. Given the software’s role in operational technology environments, prompt patching is crucial for preventing exploitation, maintaining system integrity, and safeguarding critical infrastructure from potential cyber threats that could disrupt energy delivery and reliability.

Conclusion

The week of May 12-16 saw an unusually high number of critical vulnerabilities, partly due to vendors reporting vulnerabilities on Patch Tuesday, the second Tuesday of the month. The significant threat posed by the vulnerabilities underscores the importance of cybersecurity best practices and good cyber hygiene, which can help guard against a wide range of threats.

Those security practices include comprehensive, risk-based vulnerability management; segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization.

To access all Cyble reports, click here.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.