Cyble Vulnerability Intelligence researchers tracked 1,093 vulnerabilities in the last week, and well over 200 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 83 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 28 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers for prioritization by security teams, including some that have been used in ransomware attacks. 

The Week’s Top Vulnerabilities 

CVE-2026-25253, a critical vulnerability in the OpenClaw open-source AI personal assistant (also known as clawdbot or Moltbot), has been getting attention both from the security community and threat actors in underground forums. In versions before 2026.1.29, the application obtains a gatewayUrl from a query string and automatically connects via WebSocket without user confirmation, potentially leaking the sensitive auth token to attacker-controlled servers. This could enable unauthorized access to the victim’s OpenClaw instance. 

CVE-2025-40554 is another vulnerability observed by Cyble to be under discussion by threat actors on the dark web. The critical authentication bypass vulnerability in SolarWinds Web Help Desk could allow unauthenticated remote attackers to exploit a weak authentication mechanism to invoke privileged actions and methods without credentials, over the network with low complexity and no user interaction. 

CISA added another SolarWinds Web Help Desk vulnerability, CVE-2025-40551, to its Known Exploited Vulnerabilities (KEV) catalog. The critical untrusted data deserialization vulnerability in SolarWinds Web Help Desk could allow unauthenticated remote attackers to send crafted requests over the network, triggering remote code execution (RCE) and enabling arbitrary command execution on the host machine with full system privileges. 

Another vulnerability added to the CISA KEV catalog was CVE-2026-1281, a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that could allow unauthenticated remote code execution (RCE) via improper input sanitization, where attackers could send crafted requests to execute arbitrary code without privileges or user interaction. 

Other vulnerabilities added to the KEV catalog included CVE-2021-39935, a high-severity Server-Side Request Forgery (SSRF) vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), and CVE-2025-11953, a React Native Community CLI OS Command Injection vulnerability. 

CVE-2025-8088, a path traversal vulnerability in WinRAR, has been generating discussion in open-source communities. Multiple threat actors, including nation-state adversaries and financially motivated groups, have reportedly been exploiting the flaw to establish initial access and deploy a diverse array of payloads. 

CVE-2025-22225, a high-severity arbitrary write vulnerability in VMware ESXi hypervisors and related products like Cloud Foundation and Telco Cloud Infrastructure, has also generated significant discussion and was recently determined by CISA to be exploited by ransomware groups (see next section below). 

Vulnerabilities Used in Ransomware Attacks

So far this year, CISA has changed the status of six KEV catalog vulnerabilities to reflect evidence of exploitation by ransomware groups. The six vulnerabilities include: 

• CVE-2026-24423, a SmarterTools SmarterMail Missing Authentication for Critical Function vulnerability 

• CVE-2025-22225, a VMware ESXi Arbitrary Write vulnerability 

• CVE-2024-30088, a Microsoft Windows Kernel TOCTOU Race Condition vulnerability 

• CVE-2024-9680, a Mozilla Firefox Use-After-Free vulnerability 

• CVE-2024-51567, a CyberPanel Incorrect Default Permissions vulnerability 

• CVE-2024-49039, a Microsoft Windows Task Scheduler Privilege Escalation vulnerability 

Critical ICS Vulnerabilities

Cyble flagged the following industrial control system (ICS) vulnerabilities for prioritization by security teams in recent reports to clients. 

CVE-2026-1632 is a critical vulnerability in RISS SRL’s MOMA Seismic Station software. The flaw involves the web management interface being exposed without authentication, potentially enabling unauthenticated attackers to modify configurations, access seismic data, or reset the device remotely over the network. 

CVE-2025-26385 is a maximum-severity Johnson Controls Metasys systems command-injection vulnerability. The flaw enables unauthenticated remote SQL injection, potentially allowing attackers to compromise building management systems that control HVAC, lighting, security, and life-safety functions across multiple critical infrastructure sectors. 

CVE-2025-40805 is a maximum-severity Authorization Bypass vulnerability affecting Siemens Industrial Edge Devices, HMI Panels, and IPC devices. 

CVE-2025-10492 is a Java deserialization vulnerability in the Jaspersoft Library that affects Hitachi Energy Asset Suite versions 9.7 and earlier. 

Conclusion

In the face of significant threats to IT and ICS environments, security teams must focus on defenses that protect their most critical assets and build resilience to prepare for any incidents that do occur. Cybersecurity best practices that can help include: 

• Prioritizing vulnerabilities based on risk. 

• Protecting web-facing assets. 

• Segmenting networks and critical assets. 

• Hardening endpoints and infrastructure. 

• Strong access controls, allowing no more access than is required, with frequent verification. 

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks. 

• Encryption of data at rest and in transit. 

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. 

• Honeypots that lure attackers to fake assets for early breach detection. 

• Proper configuration of APIs and cloud service connections. 

• Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools. 

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

Additionally, Cyble’s third-party risk intelligence can help organizations carefully vet partners and suppliers, providing an early warning of potential risks.