In addition to high-risk and actively exploited vulnerabilities, Cyble researchers also observed threat actors on cybercrime forums discussing potential exploits and zero-day vulnerabilities, increasing the chances that those flaws could also be exploited. 

What follows are some highlights from Cyble’s weekly Vulnerability Intelligence and Sensor Intelligence reports. 

The Week’s Top IT Vulnerabilities

Here are some of the IT vulnerabilities flagged by Cyble threat intelligence researchers this week. 

CVE-2025-5777, also known as “CitrixBleed 2” for its similarity to CVE-2023-4966, is a 9.3-severity out-of-bounds read vulnerability in NetScaler ADC and NetScaler Gateway appliances that arises from insufficient input validation. It could allow remote, unauthenticated attackers to extract sensitive memory contents—such as session tokens and credentials—from devices configured as Gateway or AAA virtual servers, potentially enabling session hijacking and bypassing multifactor authentication. 

In parallel, CVE-2025-5349 is a high-severity improper access control flaw affecting the NetScaler Management Interface, which could be exploited by attackers who have access to the device’s management IPs to gain unauthorized elevated access to critical management functions. Both vulnerabilities were covered in the same Citrix security bulletin, along with updated versions. Cyble has detected 17,000 internet-exposed assets that may be vulnerable to both flaws. 

Also this week, Citrix released fixes for CVE-2025-6543, a 9.2-rated NetScaler ADC and NetScaler Gateway vulnerability that has been under active exploitation in unmitigated appliances. The memory overflow vulnerability could lead to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. 

CVE-2023-20198 is an older vulnerability receiving attention this week. The critical vulnerability in the web UI of Cisco IOS XE software could allow remote, unauthenticated attackers to create accounts with full administrative access on affected devices, including routers, switches, and wireless controllers. Recently, the Canadian Centre for Cyber Security, in coordination with the FBI, revealed that the Chinese state-sponsored hacking group Salt Typhoon targeted Canadian telecommunication firms by exploiting the vulnerability. 

Also this week, Cyble honeypot sensors detected attack attempts on CVE-2025-3248, a 9.8-severity Missing Authentication for Critical Function vulnerability in Langflow versions before 1.3.0. The issue lies in the /api/v1/validate/code endpoint, potentially allowing attackers to execute arbitrary code through crafted HTTP requests without authentication. 

Vulnerabilities and Exploits on Underground Forums

Cyble dark web researchers observed threat actors on cybercrime forums discussing several vulnerability exploits and zero days this week. 

Vulnerability exploits under discussion include: 

• CVE-2025-33053: A critical remote code execution (RCE) vulnerability in the Web Distributed Authoring and Versioning (WebDAV) protocol, an extension of HTTP used for collaborative file management on web servers. This flaw could allow an unauthorized attacker to execute arbitrary code remotely by manipulating external control of file names or paths in WebDAV. Exploitation typically involves tricking a victim into clicking a malicious link or opening a specially crafted file that points to a WebDAV server controlled by the attacker. 

• CVE-2025-31324: a critical zero-day vulnerability affecting the SAP NetWeaver Visual Composer component, specifically its Metadata Uploader feature. The vulnerability affects SAP NetWeaver Application Server Java systems with Visual Composer Framework 7.1x and above. This vulnerability could allow unauthenticated attackers to upload arbitrary malicious files to the SAP server via the /developmentserver/metadatauploader endpoint, which lacks proper authorization checks. 

• CVE 2025-6019: a Local Privilege Escalation (LPE) vulnerability found in the libblockdev library used in most Linux distributions. It could allow an attacker with “allow_active” Polkit privileges—typically granted to the active console user—to gain root privileges by exploiting the udisks2 daemon, which manages storage devices. 

Cyble also observed threat actors claiming to offer zero-day vulnerabilities for sale on cybercrime forums. These include: 

• A threat actor (TA) offered an exploit allegedly weaponizing a zero-day pre-auth RCE vulnerability affecting Oracle E-Business Suite (EBS). The TA quoted a price of USD $70,000. 

• A TA offered a zero-day exploit allegedly weaponizing a remote code execution (RCE) vulnerability present in Google Chrome for Android devices. In the post, the TA claimed that the exploit is 1-click primarily and targets Android versions 15 and above. 

• A TA offered an exploit weaponizing an alleged zero-day vulnerability impacting Fortinet FortiGate firewalls (FortiOS 7.2 and below). The TA mentioned that the exploit can automatically target over 170 API endpoints and extract over 150 sensitive data files for information such as firewall policies, VPN sessions, admin credentials, and device backups. 

Conclusion

The number of critical vulnerabilities and zero days this week shows the high risk that IT security teams continually face. 

A risk-based vulnerability management program should be at the heart of defensive efforts, but that won’t stop zero-day threats. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today. 

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.