Cyble Vulnerability Intelligence researchers tracked 908 vulnerabilities in the last week, and more than 188 of the disclosed vulnerabilities already have publicly available Proofs-of-Concept (PoCs), in line with recent trends observed by Cyble. 

105 vulnerabilities were rated as critical under CVSS v3.1, while 25 received a critical severity rating under the newer CVSS v4.0 scoring system. 

What follows are some of the more significant vulnerabilities investigated by Cyble researchers in the last week, including some under active discussion by threat actors on underground forums. 

The Week’s Top IT Vulnerabilities 

One noteworthy new vulnerability is CVE-2025-20265, a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) software. The vulnerability could allow unauthenticated attackers to send specially crafted credentials during the RADIUS authentication process, potentially enabling them to inject arbitrary shell commands with elevated privileges. 

Another new vulnerability of note is CVE-2025-43300, an out-of-bounds write vulnerability in certain Apple operating systems that was addressed with improved bounds checking. The issue is fixed in macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS 17.7.10, macOS Sequoia 15.6.1, iOS 18.6.2 and iPadOS 18.6.2. Processing a malicious image file in vulnerable versions could result in memory corruption. The issue may have been exploited in “an extremely sophisticated attack against specific targeted individuals,” according to Apple, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. 

Mozilla released a number of updates for Firefox and Thunderbird, addressing vulnerabilities such as CVE-2025-9187, CVE-2025-9179, CVE-2025-8042, CVE-2025-55031, CVE-2025-54143, and CVE-2025-54145. Among the issues addressed were memory safety bugs, sandbox escapes, unauthorized download bypasses, and FIDO passkey exploitation, potentially allowing arbitrary code execution, sandbox restriction bypass, and security bypass via Bluetooth attacks. 

Vulnerabilities trending in open-source and underground communities because of their severity and exploitability included: 

• CVE-2025-54948, a critical remote code execution vulnerability in the Trend Micro Apex One management console. It could allow a pre-authenticated remote attacker to upload malicious code and execute arbitrary commands, potentially leading to full system compromise. The vulnerability was added to CISA’s KEV catalog last week. 

• CVE-2025-25256, a critical OS command injection vulnerability affecting multiple versions of Fortinet FortiSIEM software. It could potentially allow a remote, unauthenticated attacker to execute arbitrary commands or code via specially crafted command-line interface (CLI) requests without requiring user interaction. 

• CVE-2025-8088, a critical path traversal vulnerability in the Windows version of WinRAR, could allow attackers to craft malicious archive files containing hidden alternate data streams (ADSes) that, when extracted, silently deploy malicious files like DLLs and shortcuts into sensitive system locations such as the Windows startup folder. 

• CVE-2025-53770, a critical unauthenticated remote code execution vulnerability in on-premises Microsoft SharePoint Server that could allow attackers to execute arbitrary code and steal cryptographic keys. The vulnerability has reportedly been actively exploited in the wild as part of a broader campaign known as “ToolShell.” 

Cyble observed a number of threat actors on cybercrime forums discussing exploits of vulnerabilities, raising the chances the vulnerabilities could be targeted. Some of the vulnerabilities included: 

• CVE-2025-38236, a high-severity privilege escalation vulnerability in the Linux kernel related to its handling of the MSG_OOB (Out-Of-Band) feature for UNIX domain sockets. The flaw could allow local attackers to manipulate kernel memory through crafted UNIX socket messages using the MSG_OOB flag, leading to kernel memory corruption, privilege escalation to root, and potential full system compromise. 

• CVE-2025-55188, a vulnerability found in 7-Zip versions prior to 25.01. The flaw arises from improper handling of symbolic links during archive extraction. When extracting archive formats that support symbolic links (such as .zip, .tar, .7z, and .rar), 7-Zip would blindly follow these links. This allows a maliciously crafted archive to cause arbitrary file writes anywhere on the victim’s system, not just inside the extraction folder. 

Cyble also observed threat actors claiming to offer zero-day exploits for the Safari Browser, the KVM hypervisor, and a SYSTEM-level privilege exploit on fully patched Windows 10/11 and Windows Server 2022 systems. 

Cyble honeypot sensors detected several new attack campaigns in the last week, included attempted attacks on CVE-2025-5777, an insufficient input validation flaw in Citrix NetScaler that can result in memory overread when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. 

ICS Vulnerabilities 

Cyble researchers also examined 709 industrial control system (ICS) vulnerabilities affecting multiple product range vendors, including Siemens, Rockwell Automation, and Güralp Systems. 

Siemens accounted for the majority of vulnerabilities disclosed in the last week in the ICS/OT sector. The disclosures affected a wide range of Siemens products, including engineering platforms, automation modules, and industrial software. Most vulnerabilities were linked to the Critical Manufacturing sector, with varying severity levels from low to critical. 

Of particular concern are the RUGGEDCOM and SCALANCE advisories, which are affected by 9.1-severity Linux kernel vulnerabilities (CVE-2024-47685 and CVE-2023-52832). 

Rockwell Automation was also associated with several disclosed vulnerabilities during the reporting period. Unlike Siemens, vulnerabilities disclosed by Rockwell were more often tied to multi-sector impacts, involving combinations such as Chemical, Energy, Food and Agriculture, and Transportation Systems in addition to Critical Manufacturing. Many of these vulnerabilities were categorized as critical or high severity. 

Conclusion 

With threat actors attempting to exploit hundreds of new vulnerabilities each week, security teams must be able to respond with rapid, well-targeted actions to defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.