Cyble Vulnerability Intelligence researchers tracked 787 vulnerabilities in the last week, and more than 229 of the disclosed vulnerabilities already have publicly available Proofs-of-Concept (PoCs). The exploitation rate – just under 30% – is at the high end of the 20-30% range observed by Cyble in recent weeks.
A total of 56 vulnerabilities were rated as critical under CVSS v3.1, while 43 received a critical severity rating based on the newer CVSS v4.0 scoring system.
Cyble also detected threat actor discussions and attack attempts on prominent vulnerabilities, raising the urgency for prompt patching by security teams.
What follows are some of the more significant vulnerabilities investigated by Cyble researchers in the last week.
The Week’s Top IT Vulnerabilities
One of the more noteworthy vulnerabilities this week was CVE-2025-55177, a medium-severity vulnerability in WhatsApp for iOS and macOS related to incomplete authorization of linked device synchronization messages, which could potentially allow an unrelated user to trigger the processing of content from an arbitrary URL on a target’s device without requiring any user interaction, effectively enabling a remote attack.
The flaw is believed to have been exploited in combination with an Apple OS-level vulnerability (CVE-2025-43300) in a sophisticated attack to deploy spyware on targeted devices. Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
CVE-2025-43300 has also generated significant discussion in open-source communities. The critical zero-day vulnerability is in Apple’s ImageIO framework, which is used for image processing across iOS, iPadOS, and macOS. The vulnerability is an out-of-bounds write flaw that could be triggered by processing a malicious image file, causing memory corruption and potentially allowing remote attackers to execute arbitrary code with kernel-level privileges.
Cyble has also observed threat actors on underground forums discussing CVE-2025-24210, a logic error in ImageIO, Apple’s image parsing framework. Improper error handling could allow sensitive information disclosure during image parsing.
CVE-2025-7775, a critical memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances that could lead to remote code execution (RCE) and/or denial of service (DoS) attacks, continues to be under active discussion both in open-source communities and on underground forums, with high interest both from the security community and threat actors. Meanwhile, Cyble honeypot sensors have detected attack attempts on an earlier NetScaler ADC and NetScaler Gateway vulnerability – CVE-2025-5777 – dubbed “CitrixBleed 2” for its similarity to CVE-2023-4966.
CVE-2025-57819 is also generating significant interest in the security community. The 10.0-rated vulnerability in FreePBX is caused by insufficiently sanitized user-supplied data in the “endpoint” module. The flaw is being actively exploited in the wild and has been added to CISA’s KEV catalog. It could allow an unauthenticated attacker to gain unauthorized administrative access, manipulate the database, and potentially achieve remote code execution on affected FreePBX servers. The issue is fixed in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
CVE-2025-31324 is another CISA KEV vulnerability that continues to draw interest. Cyble has detected attack attempts on the SAP NetWeaver Visual Composer Metadata Uploader vulnerability since May, and the Unrestricted File Upload vulnerability has also reportedly been chained with CVE-2025-42999, a Deserialization vulnerability in the Uploader. The vulnerabilities have also drawn significant interest from threat groups.
Cyble also observed threat actors on underground forums claiming zero-day exploits for the MMS parser in Android versions 11 to 15 on ARM devices and Microsoft IIS. The Android exploit allegedly allows remote code execution, root-level access, and bypasses Android’s sandbox without any user interaction or visible signs, while the Microsoft IIS exploit allegedly could allow attackers to execute arbitrary code on vulnerable servers without any user interaction.
Cyble vulnerability intelligence researchers also flagged ICS vulnerabilities in Mitsubishi Electric Air Conditioning Systems (CVE-2025-3699) and SunPower PVS6 datalogger–gateway devices (CVE-2025-9696), and SIEMENS SINEC OS was the subject of a pair of significant CISA advisories (ICSA-25-226-07 and ICSA-25-226-15).
Conclusion
The significant interest in vulnerabilities from threat actors this week is a reminder that security teams must respond with rapid, well-targeted actions if they are to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.
Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.
