Cyble Vulnerability Intelligence researchers tracked 1,224 vulnerabilities in the last week, as the monthly “Patch Tuesday” release cycle of vendor fixes yielded a high number of new vulnerabilities.
More than 129 of the disclosed vulnerabilities already have publicly available Proofs-of-Concept (PoCs), significantly increasing the likelihood of many new vulnerabilities being exploited.
Google, Linux, Microsoft, and Samsung were the top vendors and projects with reported vulnerabilities this week, reflecting the diverse range of impacted platforms across enterprise and embedded systems.
A total of 105 vulnerabilities were rated as critical under CVSS v3.1, while 18 received a critical severity rating based on the newer CVSS v4.0 scoring system. Vulnerabilities from SAP and Sophos were among those that stood out in Cyble’s analysis.
The Top IT Vulnerabilities This Week
CVE-2025-42944 is a maximum-severity vulnerability in SAP NetWeaver that could enable unauthenticated remote code execution through insecure deserialization in the RMI-P4 module (version ServerCore 7.50).
CVE-2025-10159 is a critical authentication bypass vulnerability affecting Sophos AP6 Series Wireless Access Points before firmware version 1.7.2563 (MR7) that could allow remote attackers to gain full administrator privileges on the affected wireless access points without needing to authenticate.
Another noteworthy new vulnerability is CVE-2025-48543, a high-severity use-after-free vulnerability in the Android Runtime (ART) component, affecting Android versions 13 through 16. The flaw could allow local attackers to chain other exploits, such as a Chrome renderer attack, to escape browser sandboxing and execute code with the elevated privileges of the system_server process, potentially resulting in complete control of the device. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
CVE-2025-54236, also known as “SessionReaper,” is a critical improper input validation vulnerability in Adobe Commerce and Magento Open Source platforms. It could allow remote unauthenticated attackers to take over customer accounts through the Commerce REST API, with the possibility of enabling remote code execution (RCE) under certain conditions.
Among the vulnerabilities generating discussion in open source communities is CVE-2025-42957, a 9.9-severity ABAP code injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise, versions S4CORE 102, 103, 104, 105, 106, 107, 108) that impacts S/4HANA releases using the Enterprise Management component. The flaw could allow remote attackers with only basic SAP user credentials to execute arbitrary ABAP code via a network-exposed RFC interface.
Among the vulnerabilities under discussion by threat actors on underground forums is CVE-2025-53772, a critical remote code execution (RCE) vulnerability in Microsoft Web Deploy (msdeploy), a tool for deploying web applications and Internet Information Services (IIS). The vulnerability is due to insecure deserialization of data in HTTP headers and could allow an authenticated user to execute arbitrary code on the target server.
Cyble also observed threat actors discussing CVE-2025-52970, a high-severity authentication bypass vulnerability in Fortinet FortiWeb (versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and versions 7.0.10 and below) caused by improper handling of parameters, which could allow an unauthenticated attacker with specific non-public device and user information to log in as any existing user via a crafted request.
Also under discussion by threat actors is CVE-2025-53779, a Windows Kerberos elevation-of-privilege vulnerability associated with the “BadSuccessor” technique that could potentially enable an authenticated attacker to gain domain admin privileges in certain Active Directory environments running Windows Server 2025 features.
ICS Vulnerabilities
Of more than 30 Industrial Control System (ICS) vulnerabilities examined by Cyble this week, two in particular stood out.
CVE-2025-2523 is a 9.4-rated Integer Underflow (Wrap or Wraparound) vulnerability in the Control Data Access (CDA) component of Honeywell Experion PKS and OneWireless Wireless Device Manager (WDM). Exploitation could enable remote code execution by manipulating a communication channel inappropriately; specifically, the integer underflow could allow remote actors to execute malicious code. Honeywell recommends updating to the most recent version of Honeywell Experion PKS: 520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1.
CVE-2025-3495 is a 9.8-severity vulnerability in Delta Electronics COMMGR, including all versions of COMMGR v1 and COMMGR v2.9.0 and earlier. The vulnerability – use of insufficiently randomized values to generate session IDs (cryptographically weak PRNG) in session ID generation – could allow brute-force authentication bypass. Exploitation could potentially allow a remote attacker without authentication to discover a valid session identifier via brute force, bypass session authentication, access the AS3000 Simulator within COMMGR, and execute arbitrary code.
Conclusion
The unusually high number of vendor patches issued this week – high even for a ‘Patch Tuesday’ update cycle – underscores the constant threats and pressures facing security teams. Rapid, well-targeted actions are needed to successfully defend IT and critical infrastructure, and a risk-based vulnerability management program should be at the heart of those defensive efforts.
Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.
Get a free external threat profile for your organization today.
