The Week in Vulnerabilities: Cyble Warns of Rising Exploits Targeting ICS, Enterprise, and Web Systems

Between May 28 and June 3, 2025, the cybersecurity landscape witnessed an intensification of attack attempts and critical vulnerability disclosures across enterprise IT systems, industrial control environments, and underground cybercriminal forums. Cyble Research & Intelligence Labs (CRIL) captured this surge through its expansive global honeypot sensor network.

During this timeframe, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog with eight newly identified vulnerabilities actively targeted by malicious actors. Among these was CVE-2024-56145, a high-severity remote code execution flaw that reportedly has been leveraged by a China-linked advanced persistent threat (APT) group. This group has specifically targeted a broad spectrum of industries, including finance, government, IT, logistics, retail, and education sectors.

Cyble’s threat hunters recorded increased exploit attempts targeting these vulnerabilities and a notable uptick in malware intrusions, brute-force attacks, and phishing campaigns. Real-time detections of threats such as CoinMiner Linux, WannaCry ransomware variants, Mirai botnet strains, and Android-based crypto miners provided critical insights into attacker strategies and malware distribution channels.

Simultaneously, CRIL’s Industrial Control Systems (ICS) Vulnerability Intelligence Report to clients highlighted new risks to essential infrastructure components from vendors like Siemens, Schneider Electric, Mitsubishi Electric, and Consilium Safety. Edge devices and field controllers were identified as the most susceptible, frequently compromised through persistent issues such as buffer overflows and hard-coded credentials. Particularly concerning fire panels and other critical infrastructure assets, which were at risk due to insecure default configurations.

In addition to new disclosures, discussions around vulnerabilities like CVE-2024-58136 and CVE-2025-49113, actively proliferated on underground forums and Telegram channels, illustrate how cybercriminal chatter often intertwines with real-world exploitation efforts. This convergence between the KEV catalog entries and underground market activity highlights an accelerating timeline from vulnerability disclosure to active exploitation.

Weekly Cybersecurity Vulnerability: Overview and Strategic Recommendations

This week’s report aggregates the latest intelligence from CRIL’s continuous monitoring, focusing on exploited vulnerabilities, detailed malware case studies, and threats specifically affecting Industrial Control Systems (ICS). It also furnishes actionable defensive guidelines and Indicators of Compromise (IoCs) designed to empower organizations to strengthen their cybersecurity posture.

Critical Vulnerabilities and Their Impact

Below is a synopsis of the most interesting vulnerabilities recently uncovered, their affected vendors and products, nature of the flaws, severity ratings, and patch availability status:

In-Depth Analysis of Selected Vulnerabilities

CRIL’s security experts performed detailed assessments on multiple vulnerabilities to gauge their real-world exploitability and internet exposure. Understanding these exploited vulnerabilities helps organizations prioritize patching efforts and defenses effectively.

CISA maintains the KEV catalog as an authoritative resource listing software flaws actively targeted by attackers. The recent inclusion of eight high-risk vulnerabilities between May 28 and June 3 reflects the dynamic threat landscape.

Notably, multiple Qualcomm chipset vulnerabilities, critical ASUS router flaws, and remote code execution bugs in ConnectWise’s ScreenConnect and Craft CMS were added to the KEV catalog.

Highlighted Vulnerabilities Under Active Exploitation

• CVE-2025-5419 (Google Chrome): A dangerous out-of-bounds read/write flaw in the V8 JavaScript engine allows heap corruption via crafted HTML content. Although not widely exposed via the internet, it remains a significant risk to end users through web-based attacks.
• CVE-2025-20188 (Cisco IOS XE for Wireless LAN Controllers): This critical flaw allows unauthenticated attackers to upload arbitrary files and execute root commands through the image download interface. The existence of a public proof-of-concept exploit has accelerated patching urgency, especially since many vulnerable devices remain accessible online.
• CVE-2025-48827 (vBulletin Forum Software): A remote code execution vulnerability lets attackers bypass API access controls on PHP 8.1+ forums. Active exploitation has been confirmed on numerous internet-facing vBulletin forums, making this a high-priority patch target.

Exploited Vulnerabilities in Underground Forums

CRIL’s surveillance of dark web forums and Telegram channels reveals active exchanges of exploit code related to the KEV catalog vulnerabilities, indicating the cybercriminal underground is leveraging these flaws:

• Yii 2 PHP Framework (CVE-2024-58136): Remote code execution through improper alternate path protection.
• Microsoft Windows Scripting Engine (CVE-2025-30397): Remote code execution is possible via crafted URLs exploiting type confusion.
• Roundcube Webmail (CVE-2025-49113): Remote code execution caused insufficient input validation during file uploads.

Moreover, zero-day exploits targeting WordPress 6.8.1 and recent Linux kernel versions further demonstrate the increasing sophistication and speed at which threat actors exploit vulnerabilities once disclosed.

Spotlight Case Studies of High-Impact Vulnerabilities

CrushFTP Authentication Bypass (CVE-2025-31161): A critical flaw in the AWS4-HMAC authorization method allows attackers to bypass authentication via race conditions. This vulnerability poses a cybersecurity risk to systems not protected by DMZ proxies.

PHP CGI Argument Injection (CVE-2024-4577): This remote code execution vulnerability allows attackers to manipulate CGI parameters, impacting countless web applications due to PHP’s ubiquity.

OSGeo GeoServer RCE (CVE-2024-36401): Unsafe evaluation of geospatial data enables unauthenticated remote code execution, threatening all GeoServer versions before 2.23.6, 2.24.4, and 2.25.2.

Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593): A critical authentication flaw allows remote attackers unauthorized administrative access, risking configuration tampering and malicious payload deployment.

VICIdial Unauthenticated SQL Injection (CVE-2024-8503): This time-based SQL injection vulnerability in open-source contact center software exposes sensitive credentials and enables further compromise.

Vulnerabilities Impacting IoT and Industrial Systems

Several vulnerabilities compromise IoT devices and critical infrastructure components:

• D-Link DNS Series Information Disclosure (CVE-2024-3274): Remote attackers can retrieve sensitive device data via an unprotected CGI endpoint.
• Icegram Express WordPress Plugin SQL Injection (CVE-2024-2876): Allows attackers to extract subscriber data without authentication.
• Oracle Xstore Office Remote Access (CVE-2024-21136): Unauthenticated attackers can access sensitive retail data through vulnerable versions.
• Metabase Remote Code Execution (CVE-2023-38646): Unauthenticated RCE vulnerability risks complete server takeover.
• Apache OFBiz Arbitrary File Reading & SSRF (CVE-2023-50968): Increases attack surface via unauthorized internal requests.
• Citrix NetScaler ADC & Gateway Buffer Overflow (CVE-2023-4966): Information disclosure risks through buffer overflow flaws.

Observed Attack Patterns and Malware Campaigns

Cyble’s sensors detected multiple attack attempts exploiting known weaknesses:

• Exploits targeting CVE-2020-11899 (Treck TCP/IP stack out-of-bounds read) exceeded 22,000 attempts.
• Wind River VxWorks vulnerabilities (CVE-2019-12255 through CVE-2019-12263), Microsoft Remote Desktop Services flaw CVE-2019-0708, and Apache Struts CVE-2017-5638 remain heavily targeted.
• Mirai botnet variants continued exploiting Dasan GPON home routers through known flaws (CVE-2018-10561, CVE-2018-10562), highlighting persistent IoT security challenges.

Conclusion

The data from this week’s Cyble Sensors highlights the dynamic and escalating nature of cybersecurity threats. To defend against both nation-state actors and opportunistic cybercriminals, organizations must prioritize patching known exploited vulnerabilities (KEVs), harden device configurations, monitor for indicators of compromise, and stay informed about new threat actor tactics.

Equally, vendors must act promptly to disclose flaws and release effective patches. Cyble offers an integrated Cyber Threat Intelligence platform that combines attack surface management, dark web monitoring, vulnerability management, incident response, and AI-powered analytics to support this proactive defense posture.

Cyble empowers organizations to strengthen their cyber resilience and protect digital assets with tailored threat intelligence and a unified approach to threat exposure management. Schedule a DEMO today to see how Cyble can protect your critical infrastructure.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-5419
• https://nvd.nist.gov/vuln/detail/cve-2025-30397
• https://nvd.nist.gov/vuln/detail/CVE-2025-31161
• https://nvd.nist.gov/vuln/detail/cve-2024-3274
• https://nvd.nist.gov/vuln/detail/CVE-2024-2876
• https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed
• https://nvd.nist.gov/vuln/detail/CVE-2020-11899
• https://nvd.nist.gov/vuln/detail/CVE-2024-56145