Cyble Vulnerability Intelligence researchers tracked more than 900 vulnerabilities in the last week, and nearly 200 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), as the time between disclosure and exploitation continues to shrink.
Cyble threat intelligence researchers also observed threat actors on underground forums discussing vulnerability exploits and PoCs, and Cyble honeypot sensors detected attack attempts on dozens of vulnerabilities.
What follows are some of the more significant IT and industrial control system (ICS) vulnerabilities flagged by Cyble in reports to clients in the last week, making the flaws a high priority for security teams to address.
The Week’s Top IT Vulnerabilities
The vulnerability that’s perhaps drawn the most attention this week is a critical SharePoint vulnerability, CVE-2025-53770, that has reportedly been actively exploited in the wild as part of a broader campaign known as “ToolShell. ” The vulnerability could enable remote code execution and persistent unauthorized access. CVE-2025-53770 affects on-premises Microsoft SharePoint Server and involves a deserialization vulnerability. Microsoft has published customer guidance on the vulnerability.
Another notable vulnerability is CVE-2025-6558, a critical zero-day vulnerability in Google Chrome that could allow remote attackers to bypass the browser’s sandbox protection by crafting malicious HTML pages, potentially enabling arbitrary code execution on the underlying system.
CVE-2025-25257 is a critical unauthenticated SQL injection vulnerability in Fortinet FortiWeb that could potentially allow attackers to execute unauthorized SQL commands via crafted HTTP(S) requests, posing significant risks such as data theft and service disruption; public exploits for this flaw also exist.
Two 10.0-severity vulnerabilities were also disclosed in recent days. They include CVE-2025-20337, which could potentially allow unauthenticated attackers to remotely execute arbitrary code with root privileges on Cisco Identity Services Engine, and CVE-2025-54122, a critical unauthenticated Server-Side Request Forgery (SSRF) flaw in Manager.io accounting software.
CVE-2025-54309 affects CrushFTP and could potentially allow remote attackers to gain administrative access via HTTPS. The flaw has been actively exploited by attackers to control affected servers and manipulate data or configurations.
CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238 are critical vulnerabilities affecting VMware ESXi, Workstation, and Fusion hypervisors, each with a CVSSv3 score of 9.3. Attackers could potentially exploit the vulnerabilities by gaining local administrative privileges on a guest virtual machine.
Citrix NetScaler, NVIDIA Vulnerabilities Draw Hacker Interest
Recent Citrix NetScaler vulnerabilities continue to receive attention from threat actors in discussions on dark web and underground forums.
CVE-2025-5777 is a critical pre-authentication memory disclosure vulnerability affecting Citrix NetScaler ADC and Gateway devices, specifically when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It results from insufficient input validation in the processing of HTTP POST requests to the authentication endpoint.
Cyble warned about the Citrix vulnerability last month, and Cyble honeypot sensors have also detected attempts to exploit the flaw.
CVE-2025-6543 is a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway when configured as a Gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. Exploitation could lead to unintended control flow and Denial of Service (DoS), and there is consensus among security researchers that it may also enable unauthenticated remote code execution (RCE).
Another vulnerability under discussion on underground forums is CVE-2025-23266, a vulnerability in the NVIDIA Container Toolkit that could enable a container escape. A malicious container could gain root access on the host by exploiting how the toolkit processes Open Container Initiative (OCI) hooks – specifically, by manipulating inherited environment variables such as LD_PRELOAD. These impact thousands of organizations leveraging GPU-accelerated containers in AI/cloud environments.
ICS Vulnerabilities
Cyble also flagged four ICS vulnerabilities in recent reports.
CVE202540736 affects Siemens SINEC NMS, which is used to centrally manage and monitor complex OT and IT networks in sectors like manufacturing, energy, and transportation. CVE202540736 could allow an unauthenticated attacker to reset the superadmin password through an exposed endpoint, essentially giving them full control of the system.
CVE-2025- 41646 in KUNBUS Revolution Pi could allow unauthenticated attackers to bypass authentication entirely by sending a specially crafted JSON payload, potentially giving them full access to the device. As Revolution Pi is widely used across sectors like Critical Manufacturing, Energy, Transportation, and Water systems, the presence of internet-facing instances detected by Cyble makes this a high priority for affected organizations.
CVE-2025-50121 in Schneider Electric’s EcoStruxure IT Data Center Expert (v8.3 and earlier) could potentially allow unauthenticated remote code execution via the HTTP web interface (disabled by default). Widely used to monitor and manage data center infrastructure, a compromise could lead to operational disruption and unauthorized access to sensitive systems.
CVE-2025-6185 affects Leviton AcquiSuite (A8810) and Energy Monitoring Hub (A8812), both widely used for real-time energy monitoring in industrial and commercial facilities. The flaw is a cross-site scripting (XSS) vulnerability (CWE-79) that could allow attackers to inject malicious code via URL parameters. When accessed by a user, the payload could execute in the browser, steal session tokens, and potentially give the attacker control over the service.
Conclusion
As the speed with which newly disclosed vulnerabilities are exploited continues to fall, security teams must respond rapidly to defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.
Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.
