Cyble Vulnerability Intelligence researchers tracked 648 vulnerabilities in the last week, and nearly 170, or 26%, of the disclosed vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, raising the likelihood of real-world attacks.
A total of 27 were rated as critical under CVSS v3.1, while only five received a critical severity rating based on the newer CVSS v4.0 scoring system. The presence of zero-day vulnerabilities – in addition to those noted in Cyble’s last vulnerability report – highlights persistent blind spots in cyber defenses and the pressing need for faster threat response.
Here are the week’s top vulnerabilities in Cyble’s analysis.
The Top IT Vulnerabilities
CVE-2025-9642 is a high-severity cross-site scripting (XSS) vulnerability discovered in GitLab CE/EE. The vulnerability could potentially allow an attacker with low privileges to inject malicious scripts that could lead to unauthorized access, account takeover, and theft of sensitive user information.
CVE-2025-20363 is a critical heap-based buffer overflow vulnerability affecting web services in several Cisco products, including Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. The flaw could potentially allow an attacker to send a specially crafted HTTP request that causes heap memory corruption, enabling remote code execution (RCE) with root privileges.
CVE-2025-20352 was among the vulnerabilities generating discussion in open-source communities. The 7.7-rated vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software could potentially allow a remote, authenticated attacker with low privileges to cause a denial-of-service (DoS) condition by forcing the device to reload. Additionally, an attacker with high privileges could potentially execute arbitrary code as the root user, gaining full control of the affected device. The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog this week.
Dark Web Exploits
Cyble dark web researchers observed multiple threat actors (TAs) discussing exploits and weaponizing vulnerabilities in discussions on underground cybercrime forums. Vulnerabilities under discussion on the dark web include:
CVE-2025-23121, a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication software, could potentially allow an authenticated domain user to execute arbitrary code remotely on the Backup Server.
CVE-2025-6218, a high-severity directory traversal vulnerability in WinRAR for Windows, could allow attackers to craft malicious archive files that, when extracted by a vulnerable WinRAR version, write files outside the intended extraction directory. For example, an attacker could potentially place a malicious executable into the Windows Startup folder, causing the payload to execute automatically when the user logs in. This vulnerability can lead to remote code execution (RCE) under user privileges.
CVE-2025-41244, a high-severity local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools, specifically when managed virtual machines utilize the Software-Defined Management Platform (SDMP) features. A local attacker with non-administrative access could escalate privileges to root by exploiting unsafe privilege definitions between Aria Operations and VMware Tools. The newly reported vulnerability has reportedly been under exploitation since October 2024.
CVE-2025-32463, a critical local privilege escalation vulnerability in the Linux and Unix sudo utility affecting versions 1.9.14 through 1.9.17, could potentially allow a local attacker to gain root access by exploiting the –chroot (-R) option in sudo. The vulnerability arises because sudo improperly loads the /etc/nsswitch.conf file from a user-controlled directory specified by the –chroot option, potentially enabling an attacker to load arbitrary shared libraries with root privileges. The vulnerability was added to the CISA KEV catalog this week.
CVE-2025-56383, a high-severity DLL hijacking vulnerability found in Notepad++, has been marked as disputed by both NVD and CVE.org, yet it has nonetheless attracted discussion on dark web forums. This vulnerability could potentially allow an attacker with local access to replace the original DLL file used by Notepad++ with a malicious DLL, leading to the execution of arbitrary code on the affected system. The exploit requires low attack complexity and no special privileges.
Conclusion
The high number of Proof-of-Concept exploits and actively exploited vulnerabilities this week – and significant interest in them from threat actors – highlights the need for rapid, well-targeted actions by security teams to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.
Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.
