Cyble Vulnerability Intelligence researchers tracked 737 vulnerabilities over the last week, and more than 145 of the disclosed vulnerabilities already have publicly available Proof-of-Concepts (PoCs), just below the 21% exploitation rate observed by Cyble last week.

Of the hundreds of IT and industrial control system (ICS) vulnerabilities examined this week, Cyble researchers flagged more than a dozen vulnerabilities for high-priority attention by security teams.

The following are highlights from Cyble vulnerability intelligence, sensor intelligence, and ICS vulnerability reports sent to clients this week.

The Week’s Top IT Vulnerabilities

The week’s top IT vulnerabilities affected various commercial and open-source products, including security products, databases, Apple devices, and WordPress plugins.

CVE-2025-54419 is a 10.0-severity Improper Authentication and Verification of Cryptographic Signature vulnerability in the Node-SAML library (versions 5.0.1 and below), which is widely used for SAML 2.0 authentication in Node.js applications. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document, which could potentially allow an attacker to modify authentication details within a valid SAML assertion. The flaw is fixed in version 5.1.0.

CVE-2014-125115 is a recently published 10.0-severity unauthenticated SQL injection vulnerability found in Pandora FMS IT monitoring software, in version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, which could allow attackers to extract administrator credentials or active session tokens via crafted requests. If authentication is bypassed, a second vulnerability in the File Manager component could allow arbitrary PHP file uploads, potentially allowing authenticated users to upload web shells into a publicly accessible directory for remote code execution.

CVE-2025-6965 is a 7.2-rated memory corruption vulnerability in SQLite versions before 3.50.2. It potentially allows an attacker to manipulate the database or execute arbitrary code by exploiting the improper handling of aggregate functions in queries.

CVE-2025-40599 is a 9.1-rated authenticated arbitrary file upload vulnerability in the web management interface of SonicWall Secure Mobile Access (SMA) 100 series appliances. It could allow an attacker with administrative privileges to upload malicious files, potentially leading to remote code execution (RCE) and whole device compromise.

CVE-2025-40600 is a critical use of an externally controlled format string vulnerability in the SonicOS SSL VPN interface of SonicWall Gen7 firewall devices. The vulnerability could allow a remote unauthenticated attacker to cause a denial of service (DoS) attack by exploiting the SSL VPN interface, potentially taking firewall services offline and disrupting secure remote access.

CVE-2025-31199, recently disclosed by Microsoft Threat Intelligence, impacts Apple devices, including macOS Sequoia, iOS/iPadOS 18.4, and visionOS 2.4. The Insertion of Sensitive Information into Log File flaw could allow unauthorized sensitive data exposure via application logs, which could leak private information if exploited.

Detected Attacks and Dark Web Exploits

This week, cyble honeypot sensors detected active exploit attempts on two WordPress plugin vulnerabilities.

CVE-2025-3102 is an authentication bypass vulnerability in the SureTriggers All-in-One Automation Platform plugin for WordPress in all versions up to and including 1.0.78. This flaw stems from a missing check for empty values in the authenticate_user function, specifically affecting the secret_key parameter. As a result, when the plugin is installed and activated without being configured with an API key, unauthenticated attackers could potentially exploit the vulnerability to create administrator accounts on the affected website.

CVE-2025-27007 is a privilege escalation vulnerability in the Brainstorm Force SureTriggers plugin for WordPress due to incorrect privilege assignment. The issue affects all versions from the initial release up to version 1.0.82, and could potentially allow unauthorized users to gain elevated privileges on the affected site.

Meanwhile, Cyble dark web researchers investigated a half-dozen vulnerability exploits under discussion by threat actors on underground forums.

The discussed vulnerabilities included:

CVE-2025-53770, a critical zero-day vulnerability in Microsoft SharePoint that could allow unauthenticated remote code execution (RCE) via insecure deserialization of untrusted data. The flaw has been actively exploited in the wild, enabling attackers to gain complete control over affected SharePoint servers.

CVE-2025-8044, a critical memory corruption vulnerability affecting Mozilla Firefox 140 and Thunderbird 140. The vulnerability arises from memory safety bugs that, if exploited, could allow a remote attacker to execute arbitrary code on the affected system, potentially leading to full system compromise or significant data leakage.

CVE-2025-20309, a critical vulnerability in specific Engineering Special (ES) releases of Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (SME). The flaw is caused by hardcoded root account credentials intended for development that cannot be changed or removed. An attacker could exploit the vulnerability through an unauthenticated SSH login, potentially gaining full root privileges and the ability to execute arbitrary commands remotely.

CVE-2025-47981, a critical heap-based buffer overflow vulnerability in the Windows SPNEGO Extended Negotiation (NEGOEX) protocol, which could potentially allow unauthenticated, remote attackers to execute arbitrary code on affected Windows systems over the network.

ICS Vulnerabilities

Of 21 ICS vulnerabilities examined by Cyble this week, vulnerabilities in two products stood out. 

Samsung’s HVAC DMS platform contains a concentrated cluster of four distinct path traversal vulnerabilities (CVE-2025-53079, CVE-2025-53080, CVE-2025-53081 and CVE-2025-53082), all affecting the same product series (versions 2.0.0 to 2.3.13.0, versions 2.5.0.17 to 2.6.14.0, and versions 2.7.0.15 to 2.9.3.5), indicating a systemic weakness in file path validation within a critical building automation system used in Commercial Facilities and Critical Manufacturing.

A Honeywell product line, Experion PKS, is tied to six different CWE types across six CVEs, all affecting five critical infrastructure sectors simultaneously, including Energy, Water and Wastewater, and Healthcare. This raises the possibility that multi-vector exploitation of a single OT product could lead to cascading impacts across interdependent sectors. The vulnerabilities affect Experion PKS: All releases before R520.2 TCU9 Hot Fix 1, and Experion PKS: All releases before R530 TCU3 Hot Fix 1, and include CVE-2025-2520, CVE-2025-2521, CVE-2025-2522, CVE-2025-2523, CVE-2025-3946, and CVE-2025-3947.

Conclusion

This week’s vast array of critical and high-severity vulnerabilities highlights security teams’ challenges in keeping up with vulnerabilities across various products and environments. Cyble data shows that one in five vulnerabilities is exploited in their first week, so security teams need a risk-based vulnerability management program to guide their mitigation efforts more than ever.

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets, removing or protecting web-facing assets, Zero-Trust access principles, ransomware-resistant backups, hardened endpoints, infrastructure, and configurations, network, endpoint, and cloud monitoring, and well-rehearsed incident response plans.

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes. They can also monitor for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.