Trending

ee-track">
Link copied!

The Week in Vulnerabilities: Cyble Warns of Rising Exploits Targeting ICS, Enterprise, and Web Systems

Cyble reports rising vulnerability threats from May 28–June 3, highlighting flaws in ICS, enterprise, and web exploits.

June 10, 2025 · 7 min read
The Week in Vulnerabilities: Cyble Warns of Rising Exploits Targeting ICS, Enterprise, and Web Systems

Between May 28 and June 3, 2025, the cybersecurity landscape witnessed an intensification of attack attempts and critical vulnerability disclosures across enterprise IT systems, industrial control environments, and underground cybercriminal forums. Cyble Research & Intelligence Labs (CRIL) captured this surge through its expansive global honeypot sensor network.

During this timeframe, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog with eight newly identified vulnerabilities actively targeted by malicious actors. Among these was CVE-2024-56145, a high-severity remote code execution flaw that reportedly has been leveraged by a China-linked advanced persistent threat (APT) group. This group has specifically targeted a broad spectrum of industries, including finance, government, IT, logistics, retail, and education sectors.

Cyble’s threat hunters recorded increased exploit attempts targeting these vulnerabilities and a notable uptick in malware intrusions, brute-force attacks, and phishing campaigns. Real-time detections of threats such as CoinMiner Linux, WannaCry ransomware variants, Mirai botnet strains, and Android-based crypto miners provided critical insights into attacker strategies and malware distribution channels.

Simultaneously, CRIL’s Industrial Control Systems (ICS) Vulnerability Intelligence Report to clients highlighted new risks to essential infrastructure components from vendors like Siemens, Schneider Electric, Mitsubishi Electric, and Consilium Safety. Edge devices and field controllers were identified as the most susceptible, frequently compromised through persistent issues such as buffer overflows and hard-coded credentials. Particularly concerning fire panels and other critical infrastructure assets, which were at risk due to insecure default configurations.

In addition to new disclosures, discussions around vulnerabilities like CVE-2024-58136 and CVE-2025-49113, actively proliferated on underground forums and Telegram channels, illustrate how cybercriminal chatter often intertwines with real-world exploitation efforts. This convergence between the KEV catalog entries and underground market activity highlights an accelerating timeline from vulnerability disclosure to active exploitation.

Weekly Cybersecurity Vulnerability: Overview and Strategic Recommendations

This week’s report aggregates the latest intelligence from CRIL’s continuous monitoring, focusing on exploited vulnerabilities, detailed malware case studies, and threats specifically affecting Industrial Control Systems (ICS). It also furnishes actionable defensive guidelines and Indicators of Compromise (IoCs) designed to empower organizations to strengthen their cybersecurity posture.

Critical Vulnerabilities and Their Impact

Below is a synopsis of the most interesting vulnerabilities recently uncovered, their affected vendors and products, nature of the flaws, severity ratings, and patch availability status:

CVE IDVendorAffected ProductsVulnerability TypeSeverityPatch AvailabilitySource
CVE-2025-21479QualcommMultiple ChipsetsIncorrect AuthorizationHighAvailableSurface Web
CVE-2025-21480QualcommMultiple ChipsetsIncorrect AuthorizationHighAvailableSurface Web
CVE-2025-27038QualcommMultiple ChipsetsUse-After-FreeHighAvailableSurface Web
CVE-2021-32030ASUSRoutersImproper AuthenticationCriticalAvailableSurface Web
CVE-2025-3935ConnectWiseScreenConnectImproper AuthenticationHighAvailableSurface Web
CVE-2025-35939Craft CMSCraft CMSExternal Control of Immutable ParameterMediumAvailableSurface Web
CVE-2024-56145Craft CMSCraft CMSCode InjectionCriticalAvailableSurface Web
CVE-2023-39780ASUSRT-AX55 RoutersOS Command InjectionHighAvailableSurface Web
CVE-2025-5419GoogleChromeOut-of-Bounds Read/WriteHighAvailableSurface Web
CVE-2025-20188CiscoIOS XE Software for WLCsArbitrary File UploadCriticalAvailableSurface Web
CVE-2025-48827vBulletinForum SoftwareRemote Code Execution (RCE)CriticalAvailableSurface/Deep Web
CVE-2024-58136YiiYii 2 PHP FrameworkImproper Protection of Alternate PathCriticalAvailableDeep Web
CVE-2025-49113RoundcubeRoundcube WebmailRemote Code ExecutionCriticalAvailableDeep Web
CVE-2025-30397MicrosoftWindows and Windows ServerType ConfusionHighAvailableDeep Web
CVE-2025-5287WordPressLikes & Dislikes PluginSQL InjectionHighN/ADeep Web

In-Depth Analysis of Selected Vulnerabilities

CRIL’s security experts performed detailed assessments on multiple vulnerabilities to gauge their real-world exploitability and internet exposure. Understanding these exploited vulnerabilities helps organizations prioritize patching efforts and defenses effectively.

CISA maintains the KEV catalog as an authoritative resource listing software flaws actively targeted by attackers. The recent inclusion of eight high-risk vulnerabilities between May 28 and June 3 reflects the dynamic threat landscape.

Notably, multiple Qualcomm chipset vulnerabilities, critical ASUS router flaws, and remote code execution bugs in ConnectWise’s ScreenConnect and Craft CMS were added to the KEV catalog.

Highlighted Vulnerabilities Under Active Exploitation

  • CVE-2025-5419 (Google Chrome): A dangerous out-of-bounds read/write flaw in the V8 JavaScript engine allows heap corruption via crafted HTML content. Although not widely exposed via the internet, it remains a significant risk to end users through web-based attacks.
  • CVE-2025-20188 (Cisco IOS XE for Wireless LAN Controllers): This critical flaw allows unauthenticated attackers to upload arbitrary files and execute root commands through the image download interface. The existence of a public proof-of-concept exploit has accelerated patching urgency, especially since many vulnerable devices remain accessible online.
  • CVE-2025-48827 (vBulletin Forum Software): A remote code execution vulnerability lets attackers bypass API access controls on PHP 8.1+ forums. Active exploitation has been confirmed on numerous internet-facing vBulletin forums, making this a high-priority patch target.

Exploited Vulnerabilities in Underground Forums

CRIL’s surveillance of dark web forums and Telegram channels reveals active exchanges of exploit code related to the KEV catalog vulnerabilities, indicating the cybercriminal underground is leveraging these flaws:

Moreover, zero-day exploits targeting WordPress 6.8.1 and recent Linux kernel versions further demonstrate the increasing sophistication and speed at which threat actors exploit vulnerabilities once disclosed.

Spotlight Case Studies of High-Impact Vulnerabilities

CrushFTP Authentication Bypass (CVE-2025-31161): A critical flaw in the AWS4-HMAC authorization method allows attackers to bypass authentication via race conditions. This vulnerability poses a cybersecurity risk to systems not protected by DMZ proxies.

PHP CGI Argument Injection (CVE-2024-4577): This remote code execution vulnerability allows attackers to manipulate CGI parameters, impacting countless web applications due to PHP’s ubiquity.

OSGeo GeoServer RCE (CVE-2024-36401): Unsafe evaluation of geospatial data enables unauthenticated remote code execution, threatening all GeoServer versions before 2.23.6, 2.24.4, and 2.25.2.

Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593): A critical authentication flaw allows remote attackers unauthorized administrative access, risking configuration tampering and malicious payload deployment.

VICIdial Unauthenticated SQL Injection (CVE-2024-8503): This time-based SQL injection vulnerability in open-source contact center software exposes sensitive credentials and enables further compromise.

Vulnerabilities Impacting IoT and Industrial Systems

Several vulnerabilities compromise IoT devices and critical infrastructure components:

  • D-Link DNS Series Information Disclosure (CVE-2024-3274): Remote attackers can retrieve sensitive device data via an unprotected CGI endpoint.
  • Icegram Express WordPress Plugin SQL Injection (CVE-2024-2876): Allows attackers to extract subscriber data without authentication.
  • Oracle Xstore Office Remote Access (CVE-2024-21136): Unauthenticated attackers can access sensitive retail data through vulnerable versions.
  • Metabase Remote Code Execution (CVE-2023-38646): Unauthenticated RCE vulnerability risks complete server takeover.
  • Apache OFBiz Arbitrary File Reading & SSRF (CVE-2023-50968): Increases attack surface via unauthorized internal requests.
  • Citrix NetScaler ADC & Gateway Buffer Overflow (CVE-2023-4966): Information disclosure risks through buffer overflow flaws.

Observed Attack Patterns and Malware Campaigns

Cyble’s sensors detected multiple attack attempts exploiting known weaknesses:

  • Exploits targeting CVE-2020-11899 (Treck TCP/IP stack out-of-bounds read) exceeded 22,000 attempts.
  • Wind River VxWorks vulnerabilities (CVE-2019-12255 through CVE-2019-12263), Microsoft Remote Desktop Services flaw CVE-2019-0708, and Apache Struts CVE-2017-5638 remain heavily targeted.
  • Mirai botnet variants continued exploiting Dasan GPON home routers through known flaws (CVE-2018-10561, CVE-2018-10562), highlighting persistent IoT security challenges.

Conclusion

The data from this week’s Cyble Sensors highlights the dynamic and escalating nature of cybersecurity threats. To defend against both nation-state actors and opportunistic cybercriminals, organizations must prioritize patching known exploited vulnerabilities (KEVs), harden device configurations, monitor for indicators of compromise, and stay informed about new threat actor tactics.

Equally, vendors must act promptly to disclose flaws and release effective patches. Cyble offers an integrated Cyber Threat Intelligence platform that combines attack surface management, dark web monitoring, vulnerability management, incident response, and AI-powered analytics to support this proactive defense posture.

Cyble empowers organizations to strengthen their cyber resilience and protect digital assets with tailored threat intelligence and a unified approach to threat exposure management. Schedule a DEMO today to see how Cyble can protect your critical infrastructure.

References:

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams