Cyble Vulnerability Intelligence researchers tracked 1,126 vulnerabilities in the last week, and nearly 200 already have publicly available Proofs-of-Concept (PoCs), raising the odds that the flaws will be exploited.
A total of 71 vulnerabilities were rated as critical under CVSS v3.1, while 21 received a critical severity rating under the newer CVSS v4.0 scoring system.
Here are some of the most critical vulnerabilities tracked by Cyble in the last week, including some under discussion on open source and underground forums.
SolarWinds WHD, GoAnywhere MFT Among the Top Vulnerabilities
Among the top vulnerabilities this week was CVE-2025-26399, a critical remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD), a web-based IT ticketing and asset management solution.
The vulnerability arises from an insecure deserialization flaw in the AjaxProxy component of WHD, potentially allowing an unauthenticated remote attacker to execute arbitrary code on affected systems with SYSTEM-level privileges.
The CVE-2025-26399 vulnerability is a patch bypass of CVE-2024-28988, which itself is a patch bypass of CVE-2024-28986. As CVE-2024-28986 is in CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVE-2025-26399 may well draw the attention of threat actors.
Another noteworthy new vulnerability is CVE-2025-10035, a critical remote code execution (RCE) vulnerability affecting Fortra’s GoAnywhere Managed File Transfer (MFT) software. An attacker with a validly forged license response signature could potentially deserialize a malicious, actor-controlled Java object, triggering command injection and allowing arbitrary operating system command execution on the affected system.
MFT vulnerabilities have historically been targeted by threat and ransomware groups like CL0P, and there has been some evidence that CVE-2025-10035 is already being targeted. Cyble dark web researchers have also observed threat actors on underground forums discussing weaponization of CVE-2025-10035. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on September 29.
CISA added three vulnerabilities to its KEV catalog in the last week. They include:
- CVE-2025-10585, a high-severity vulnerability in Google Chrome’s V8 JavaScript and WebAssembly engine. It is a type confusion flaw where the software misinterprets data types, leading to potential memory corruption, arbitrary code execution, or program crashes. This flaw could allow attackers to run malicious code by luring victims to a compromised webpage with crafted JavaScript.
- CVE-2025-20333 and CVE-2025-20362 were the subject of advisories from CISA and its international counterparts that the zero-day flaws are being used to target Cisco Adaptive Security Appliances (ASA). CVE-2025-20333 is a vulnerability in the VPN web server of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software that could potentially allow an authenticated, remote attacker to execute arbitrary code on an affected device due to improper validation of user-supplied input in HTTP(S) requests. CVE-2025-20362 could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication.
Notable vulnerabilities discussed in open-source communities included:
- CVE-2025-55241, a critical elevation-of-privilege vulnerability in Microsoft Entra ID that could have allowed an attacker to impersonate any user, including Global Administrators, across different tenants.
- CVE-2025-4427, a high-severity authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM), an on-premises mobile device management platform. The flaw could potentially allow unauthenticated attackers to send specially crafted requests to Ivanti EPMM’s API endpoints, tricking the system into treating them as legitimate authenticated clients. Exploiting this vulnerability alone or combined with CVE-2025-4428 could allow attackers to execute arbitrary code on compromised servers.
Cyble dark web researchers also observed multiple threat actors on underground forums sharing and discussing exploits and weaponizing vulnerabilities. In addition to CVE-2025-10035, other vulnerabilities attracting threat actor attention included:
- CVE-2025-25257, a critical unauthenticated remote code execution (RCE) vulnerability affecting the Fortinet FortiWeb Fabric Connector. The flaw originates from improper neutralization of special elements in SQL commands – specifically, attacker-supplied content in HTTP “Authorization: Bearer” headers could be injected into SQL queries without sanitization. This could enable attackers to perform SQL injection and escalate to RCE by writing a malicious executable file via MySQL’s INTO OUTFILE function, then triggering Python code through the FortiWeb admin console.
- CVE-2025-50154, a zero-click NTLM credential leakage vulnerability in Windows File Explorer, which bypasses previous mitigations for CVE-2025-24054. The flaw could allow attackers to trigger NTLM authentication and extract sensitive hashes without user interaction, even on fully patched systems. These hashes could be cracked offline or reused in relay attacks for unauthorized access, privilege escalation, or lateral movement.
ICS Vulnerabilities
Cyble also identified a number of industrial control system (ICS) vulnerabilities for prioritization by security teams. They include:
CVE-2025-9494 and CVE-2025-9495 in Viessmann Vitogate 300 (versions prior to 3.1.0.1). The OS command injection and client-side enforcement of server-side security vulnerabilities could allow an attacker to execute unintended commands or bypass server-side protections to influence system behavior.
CVE-2025-54807 in Dover Fueling Solutions ProGauge MagLink LX4 / LX4 Plus / LX4 Ultimate. The use of hard-coded cryptographic key for token validation vulnerability could potentially allow an attacker who obtains the hard-coded signing key to bypass authentication and gain full access to the system.
CVE-2020-2883 in Hitachi Energy Service Suite: Versions prior to 9.6.0.4 EP4. The products are affected by a deserialization of untrusted data vulnerability that stems from the Oracle WebLogic Server component and could allow an unauthenticated attacker with network access via IIOP, T3 to compromise and take over Oracle WebLogic Server.
Conclusion
The high number of vulnerabilities this week – and strong interest in them from threat actors – serves as a reminder that cybersecurity threats are always changing and evolving. Rapid, well-targeted actions are needed to successfully defend IT and critical infrastructure, and a risk-based vulnerability management program should be at the heart of those defensive efforts.
Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.
