Cyble Research & Intelligence Labs (CRIL) tracked 1,452 vulnerabilities last week, reflecting the continued expansion of the global attack surface.  

Of these, 222 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly accelerating the likelihood of exploitation in real-world environments.  

Additionally, multiple vulnerabilities surfaced across underground forums, with at least 7 actively discussed exploits, indicating strong adversarial interest and rapid weaponization cycles.  

A total of 128 vulnerabilities were rated critical under CVSS v3.1, while 47 were rated critical under CVSS v4.0, highlighting the severity of newly disclosed issues.  

Furthermore, CISA added 8 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.  

On the industrial front, CISA issued 12 ICS advisories covering 150 vulnerabilities, impacting major vendors including FESTO, Schneider Electric, Siemens, and Mitsubishi Electric.  

The Week’s Top Vulnerabilities 

CVE-2026-25769 — Wazuh (Critical) 

CVE-2026-25769 is a critical remote code execution vulnerability in Wazuh caused by the deserialization of untrusted data in cluster deployments.  

Attackers with access to a worker node can send malicious serialized payloads to the master node, resulting in remote code execution with root privileges. This enables full compromise of the centralized security monitoring infrastructure. 

CVE-2026-20131 — Cisco Secure Firewall Management Center (Critical) 

CVE-2026-20131 is a maximum-severity vulnerability allowing unauthenticated attackers to execute arbitrary Java code as root on affected systems.  

The vulnerability is reportedly being exploited by ransomware groups, enabling complete takeover of firewall management systems and downstream enterprise networks. 

CVE-2026-4342 — Kubernetes ingress-nginx (High) 

CVE-2026-4342 is a configuration injection vulnerability that allows attackers to inject malicious configurations via crafted ingress annotations.  

Successful exploitation can lead to remote code execution and exposure of Kubernetes secrets, significantly expanding attacker control across containerized environments. 

CVE-2026-22721 — VMware Aria Operations (High) 

CVE-2026-22721 is a privilege escalation vulnerability that allows attackers with limited access to elevate privileges to administrative levels.  

This enables attackers to manipulate monitoring systems, access sensitive data, and expand control across virtualized infrastructure. 

CVE-2026-33309 — Langflow AI Framework (Critical) 

CVE-2026-33309 is a critical vulnerability affecting Langflow, an AI workflow framework, enabling attackers to compromise application logic and underlying infrastructure.  

The flaw highlights the emerging attack surface in AI-driven platforms, where exploitation can lead to credential theft and full system compromise. 

Vulnerabilities Added to CISA KEV 

CISA continued expanding its KEV catalog, reflecting active exploitation trends. 

Notable additions include: 

• CVE-2026-20131 — Cisco FMC RCE vulnerability actively exploited by ransomware groups  

• CVE-2025-32432 — Craft CMS RCE vulnerability enabling full server takeover  

These additions emphasize the rapid transition from disclosure to exploitation, particularly in enterprise-facing systems. 

Critical ICS Vulnerabilities 

CISA issued 12 ICS advisories covering 150 vulnerabilities, with a strong concentration in industrial automation platforms.  

Festo Automation Suite with CODESYS (Multiple Critical CVEs) 

A large cluster of vulnerabilities affects Festo Automation Suite integrated with CODESYS, spanning multiple years and severity levels.  

These include: 

• Buffer overflows  

• Improper access control  

• Out-of-bounds writes  

• Missing authentication  

The accumulation of these flaws indicates systemic security weaknesses, enabling attackers to destabilize systems or gain persistent access. 

CVE-2018-10612 — Festo/CODESYS (Critical) 

This vulnerability involves improper access control, allowing attackers to bypass restrictions and gain unauthorized access to industrial systems.  

CVE-2021-30190 — Festo/CODESYS (Critical) 

A missing authentication vulnerability enabling attackers to execute critical functions without credentials, potentially leading to full system compromise.  

EV Charging Infrastructure Vulnerabilities (Critical) 

Critical vulnerabilities were also identified in EV charging platforms such as IGL-Technologies eParking.fi and CTEK Chargeportal.  

These flaws allow: 

• Unauthorized administrative access  

• Service disruption  

• Large-scale denial-of-service attacks  

The global deployment of EV infrastructure significantly amplifies the risk of coordinated attacks across energy and transportation ecosystems. 

Impacted Critical Infrastructure Sectors 

Analysis of ICS vulnerabilities shows a significant concentration in: 

• Energy infrastructure  

• Transportation systems  

• Industrial automation  

The increasing overlap between these sectors—particularly in EV ecosystems—creates interdependent risk, where a compromise in one domain can cascade into others.  

Conclusion 

This week’s findings highlight a convergence of: 

• Rapid vulnerability disclosure cycles  

• Active exploitation confirmed through KEV additions  

• Growing attack surface in AI and cloud-native environments  

• Deep-rooted security weaknesses in industrial systems  

With 222 publicly available PoCs, active underground discussions, and widespread ICS exposure, organizations face heightened risk across both IT and OT environments.  

Key Recommendations 

• Prioritize vulnerabilities based on exploit availability and severity  

• Secure AI frameworks and development pipelines  

• Harden Kubernetes and cloud-native environments  

• Implement strong authentication and access controls  

• Segment IT and OT networks to limit lateral movement  

• Address legacy vulnerabilities in ICS environments  

• Monitor underground forums and threat intelligence sources  

• Conduct continuous vulnerability assessments and penetration testing  

Cyble’s attack surface management and vulnerability intelligence solutions backed by its AI native platform, enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. By integrating threat intelligence with proactive security strategies, organizations can effectively defend against evolving threats across enterprise and critical infrastructure environments. 

Book your demo to experience Cyble’s AI native platform now!