Cyble vulnerability intelligence researchers highlighted several high-risk IT and ICS vulnerabilities this week, including some that are actively targeted in attack attempts detected by Cyble honeypot sensors.

As the week also included Patch Tuesday for many vendors, several new critical vulnerabilities emerged, including some that are already under active attack or are being actively discussed by threat actors on the dark web.

What follows is a sampling of Cyble’s IT, ICS and sensor intelligence reports delivered to clients this week.

Sensor Intelligence: Attack Attempts Detected on Versa, SolarWinds, Ivanti

Cyble’s network of honeypot sensors detected attack attempts on dozens of vulnerabilities this week. Here are some of the targeted vulnerabilities picked up by Cyble sensors:

Versa Concerto SD-WAN has an authentication bypass issue tracked as CVE-2025-34026, which stems from a flaw in the Traefik reverse proxy setup. The vulnerability could potentially allow attackers to reach admin endpoints like the Actuator interface, which could reveal sensitive data such as heap dumps and logs. Versions 12.1.2 to 12.2.0 are known to be affected. It was one of three Versa Concerto vulnerabilities patched recently.

CVE-2024-28987 affects SolarWinds Web Help Desk (WHD) software. The hardcoded credentials vulnerability could allow remote unauthenticated attackers to access internal functionality and modify data, exposing systems to unauthorized access and potential data manipulation.

CVE-2024-21136 is a high-severity vulnerability in Oracle Retail Xstore Office (versions 19.0.5, 20.0.3, 20.0.4, 22.0.0, and 23.0.1) that could potentially allow unauthenticated attackers with HTTP access to gain unauthorized access to sensitive data. Exploitation could also affect other products due to a scope change.

CVE-2024-7593 is a vulnerability in Ivanti Virtual Traffic Manager (vTM) that could potentially allow a remote, unauthenticated attacker to bypass admin panel authentication due to a flawed implementation of the authentication algorithm.

IT Vulnerabilities: Microsoft, Ivanti and Fortinet in Focus

Cyble vulnerability intelligence researchers also flagged several vulnerabilities under active exploitation or at high risk of exploitation.

Microsoft’s June 10 Patch Tuesday update included a zero-day vulnerability – CVE-2025-33053 – in WebDAV that the APT group Stealth Falcon has actively exploited in a cyber espionage campaign. The vulnerability was added to CISA’s Known Exploited Vulnerability (KEV) catalog, along with CVE-2025-24016, which is being actively exploited by two distinct Mirai botnet variants to compromise vulnerable Wazuh servers.

CVE-2025-22455 and CVE-2025-5353 are new high-severity vulnerabilities affecting Ivanti Workspace Control (IWC), a widely used tool for centralized desktop and application management in enterprise environments. Both vulnerabilities stem from flawed cryptographic key management and require local authenticated access for exploitation. Successful exploitation could result in credential compromise and significant system-level impact.

CVE-2025-49113 is a 9.9-severity remote code execution (RCE) vulnerability in Roundcube Webmail affecting versions before 1.5.10 and 1.6.x before 1.6.11. The flaw is triggered when an authenticated user manipulates the _from parameter in the program/actions/settings/upload.php file, leading to PHP object deserialization and potentially allowing attackers to execute arbitrary code on the server. Cyble dark web researchers observed threat actor discussions aimed at exploiting the vulnerability.

CVE-2024-55591 is a critical authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy, that could potentially allow unauthenticated, remote attackers to send specially crafted requests to the Node.js websocket module and gain super-admin privileges. CVE-2024-21762 is a critical out-of-bounds write vulnerability in Fortinet’s FortiOS and FortiProxy that could enable attackers to execute arbitrary code via crafted HTTP requests. Researchers recently claimed with moderate confidence that the Qilin ransomware group is now leveraging Fortinet flaws, including CVE-2024-21762 and CVE-2024-55591, to bypass authentication and remotely run malicious code on targeted systems.

CVE-2025-20286 affects Cisco Identity Services Engine (ISE), particularly when the Primary Administration node is deployed in the cloud. The flaw stems from improperly generated credentials during cloud deployment, resulting in identical credentials being shared across different instances. Successful exploitation could allow an attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems.

Cyble also observed threat actors on underground forums discussing vulnerabilities in Apache Tomcat and the Linux kernel, raising the possibility that the vulnerabilities could be exploited. They include CVE-2025-31650, a high-severity vulnerability in Apache Tomcat caused by improper input validation of malformed HTTP/2 Priority headers, and CVE-2025-37752, a vulnerability in the Linux kernel affecting the network scheduler component, specifically the Stochastic Fairness Queueing (SFQ) scheduler implementation in the sch_sfq module.

Cyble also observed a threat actor (TA) selling a zero-click exploit that allegedly affects Microsoft Windows OS. The TA claimed that the exploit weaponizes a vulnerability called SMBGhost (SMBv3) and leads to Remote Code Execution (RCE), granting the attacker full system-level access. The TA was asking USD $2.5 million for the exploit.

ICS Vulnerabilities

Cyble researchers also examined 11 industrial control system (ICS) vulnerabilities – three of which were rated critical.

CVE-2025-30184 and CVE-2025-30515 are 9.3-rated vulnerabilities that affect CyberData 011209 SIP Emergency Intercom versions prior to 22.0.1. The Authentication Bypass and Path Traversal vulnerabilities, included in a CISA advisory, are exploitable remotely and have low attack complexity.

CVE-2020-35198 is an old Wind River VxWorks 7 vulnerability that most recently was found in multiple versions of Hitachi Energy Relion 670, Relion 650, and SAM600-IO products.

Conclusion

The high number of vulnerabilities highlighted this week underscores the wide range of attack vectors available to threat actors – and the vigilance required by security teams to defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.