Cyble vulnerability intelligence researchers investigated dozens of vulnerabilities this week to highlight the IT and industrial control system (ICS) vulnerabilities that security teams should prioritize.
Cyble honeypot sensors also detected numerous vulnerabilities under active exploitation, and Cyble dark web researchers observed several threat actors discussing vulnerability exploits on underground and cybercrime forums, including a claimed Apple zero-day.
What follows are some highlights from Cyble’s IT and ICS vulnerability and sensor intelligence reports sent to clients this week.
IT Vulnerabilities
Cyble researchers said security teams should prioritize four IT vulnerabilities at high risk of exploitation.
CVE-2025-6554 is a critical zero-day vulnerability in Google Chrome affecting the V8 JavaScript and WebAssembly engine. The vulnerability is classified as a type confusion flaw, and could allow a remote attacker to perform arbitrary read and write operations on a victim’s system by tricking them into visiting a maliciously crafted HTML page. Google has reported that the vulnerability may be under active exploitation.
CVE-2025-20281 and CVE-2025-20282 are critical remote code execution (RCE) vulnerabilities affecting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The vulnerabilities could potentially allow unauthenticated, remote attackers to gain root access on affected systems via exposed APIs, and each can be exploited independently.
CVE-2025-6218 is a directory traversal vulnerability in RARLAB WinRAR that could allow remote attackers to execute arbitrary code on affected Windows systems. An attacker could craft archive files with malicious file paths, tricking WinRAR into extracting files to unintended directories such as system or startup folders, potentially resulting in code execution when the system restarts.
Among the dark web exploit discussions observed by Cyble, a threat actor (TA) on a cybercrime forum was offering what they claimed is an exploit weaponizing a zero-click remote code execution (RCE) vulnerability allegedly impacting all present and future versions of Apple iOS 18, the eighteenth major release of Apple’s iOS operating system for iPhones. The TA also disclosed that the offered zero-day exploits the ‘iMessage’ service to deliver the payload and gain root access to the targeted mobile phone.
Among active attack attempts detected by Cyble sensors, three recent vulnerabilities stand out as meriting high-priority attention by security teams:
Langflow versions prior to 1.3.0 contain a code injection vulnerability (CVE-2025-3248) in the `/api/v1/validate/code` endpoint. A remote, unauthenticated attacker could potentially exploit this vulnerability by sending specially crafted HTTP requests to execute arbitrary code.
The SAP NetWeaver Visual Composer Metadata Uploader, version VCFRAMEWORK 7.50, lacks proper authorization controls, potentially allowing an unauthenticated attacker to upload malicious executable binaries. The vulnerability (CVE-2025-31324) could critically impact the confidentiality, integrity, and availability of the affected system. SAP addressed the flaw in its May update. Cyble noted in last week’s vulnerability blog that threat actors have been actively discussing the vulnerability.
CrushFTP versions 10 (prior to 10.8.4) and 11 (prior to 11.3.1) are vulnerable to an authentication bypass flaw affecting the crushadmin account. The vulnerability (CVE-2025-31161) stems from a race condition in the AWS4-HMAC authorization method used by the server’s HTTP component. The flaw could allow attackers to bypass authentication by exploiting how the server verifies user existence without requiring a password. The issue can be further stabilized using a crafted AWS4-HMAC header, enabling reliable unauthorized access to any known or guessable user account. Successful exploitation could lead to full system compromise, especially if a DMZ proxy instance is not in use.
ICS Vulnerabilities
Of 16 ICS vulnerabilities investigated by Cyble this week, vulnerabilities in certain versions of Voltronic Power and PowerShield UPS monitoring software stood out as posing a critical risk to industrial and commercial environments.
Exploitation of the vulnerabilities could allow unauthenticated remote attackers to access sensitive functions or bypass access controls, potentially leading to unauthorized configuration changes, shutdown of connected power systems, or even arbitrary code execution.
Given the role of UPS systems in ensuring power continuity, successful exploitation could result in system downtime, equipment damage, or disruption of critical operations across sectors such as Energy, Critical Manufacturing, and Commercial Facilities.
Conclusion
The number of high-risk and actively exploited vulnerabilities this week shows that IT security teams can never be complacent, even amid summer holidays like July 4 in the U.S.
A risk-based vulnerability management program should be at the heart of defensive efforts, but that won’t stop zero-day threats. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.
