Full Report
Cyble Vulnerability Intelligence researchers tracked 678 vulnerabilities in the last week, a decline from the high volume of new vulnerabilities observed in the last few weeks of 2025. Nearly 100 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. A total of 42 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 15 received a critical severity rating based on the newer CVSS v4.0 scoring system. Below are some of the more significant IT and industrial control system (ICS) vulnerabilities highlighted by Cyble in recent reports to clients. The Week’s Top IT Vulnerabilities CVE-2025-60534 is a critical authentication bypass vulnerability affecting Blue Access Cobalt v02.000.195, which could allow an attacker to selectively proxy requests to operate functionality on the web application without the need for authentication, potentially allowing full admin access to application and door systems. CVE-2025-68428 is a critical path traversal and local file inclusion vulnerability in the jsPDF JavaScript library's Node.js builds. It affects methods like loadFile, addImage, html, and addFont, where unsanitized user input as file paths could enable attackers to read arbitrary server files and embed their contents into generated PDFs. CVE-2020-36923 is a medium-severity insecure direct object reference (IDOR) vulnerability in Sony BRAVIA Digital Signage 1.7.8, which could allow attackers to bypass authorization controls and access hidden system resources like '/#/content-creation' by manipulating client-side access restrictions. CISA added its first two vulnerabilities of 2026 to the Known Exploited Vulnerabilities (KEV) catalog: A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability. The agency added 245 vulnerabilities to the KEV catalog in 2025. CVE-2025-37164 is a 10.0-severity Code Injection vulnerability in HPE’s OneView IT infrastructure management software up to version 10.20 that has had a publicly available PoC since last month, while CVE-2009-0556 is a 9.3-rated Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac that was first known to be exploited in April 2009. Notable vulnerabilities discussed in open-source communities include CVE-2025-13915, a critical authentication bypass vulnerability in IBM API Connect that could allow remote unauthenticated attackers to circumvent authentication controls and gain unauthorized access to sensitive API management functions. Another was CVE-2025-68668, a 9.9-severity sandbox bypass vulnerability in the n8n workflow automation platform's Python Code Node that uses Pyodide. Another vulnerability getting attention is CVE-2025-52691, a maximum-severity unauthenticated arbitrary file upload vulnerability in SmarterMail email servers. The flaw affects SmarterMail versions before Build 9413 and could allow remote attackers to upload malicious files to any server location without requiring credentials, which could lead to remote code execution (RCE), full server compromise, data theft, or ransomware deployment. Cyble dark web researchers observed a threat actor (TA) on a cybercrime forum advertising a zero-day vulnerability allegedly affecting the latest version of Microsoft Word. The TA described the vulnerability as affecting a Dynamic Link Library (DLL) module that Microsoft Word loads without proper verification due to the absence of absolute path validation, allegedly enabling remote code execution and local privilege escalation exploitation. The TA did not provide technical proof of concept, affected version numbers, or independent verification; therefore, the claim remains unverified. ICS Vulnerabilities Three ICS vulnerabilities also merit priority attention by security teams. CVE-2025-3699 is a Missing Authentication for Critical Function vulnerability affecting multiple versions of Mitsubishi Electric Air Conditioning Systems. Successful exploitation of the vulnerability could have far-reaching consequences beyond simple unauthorized access. By bypassing authentication, an attacker could gain full control over the air conditioning system, enabling them to manipulate environmental conditions within commercial facilities. This could lead to equipment overheating, disruption of medical environments, or production downtime. Additionally, access to sensitive information stored within the system, such as configuration files, user credentials, or operational logs, could provide attackers with valuable intelligence for further compromise. CVE-2025-59287, a vulnerability disclosed by Microsoft in the Windows Server Update Services (WSUS) application, impacts servers running Schneider Electric EcoStruxure Foxboro DCS Advisor. Deserialization of untrusted data in WSUS could allow an unauthorized attacker to execute code over a network. CVE-2018-4063 is a remote code execution vulnerability in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3 that was added to CISA’s KEV database last month after attacks were detected on OT network perimeter devices. Conclusion New vulnerabilities declining closer to long-term trends would be welcome news if it continues, but that still leaves security teams with hundreds of new vulnerabilities a week to contend with, many of which have PoCs or active exploits. In that challenging environment, rapid, well-targeted actions are needed to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. The post The Week in Vulnerabilities: 2026 Starts with 100 PoCs and New Exploits appeared first on Cyble.
Analysis Summary
Here is the summary of the critical vulnerabilities highlighted in the report, formatted as requested.
***
# Vulnerability: Blue Access Cobalt Critical Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-60534
- CVSS Score: Critical (Severity not numerically specified in text, but described as "critical")
## Affected Systems
- Products: Blue Access Cobalt
- Versions: v02.000.195
- Configurations: N/A
## Vulnerability Description
A critical authentication bypass vulnerability exists that could allow an attacker to selectively proxy requests to operate functionality on the web application without authentication.
## Exploitation
- Status: PoC available (Inferred from context regarding "nearly 100 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC)")
- Complexity: Not explicitly stated, but direct administrative access suggests moderate accessibility.
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential full admin access)
- Integrity: High (Potential full admin access to door systems)
- Availability: High (Potential control over physical systems)
## Remediation
### Patches
- Details not provided in the text. Assume vendor advisory should be checked.
### Workarounds
- Details not provided in the text.
## Detection
- Focus monitoring on unexpected administrative activities or access attempts bypassing standard authentication protocols.
## References
- Vendor advisory for Blue Access Cobalt updates.
***
# Vulnerability: jsPDF Node.js Path Traversal and LFI
## CVE Details
- CVE ID: CVE-2025-68428
- CVSS Score: Critical (Severity not numerically specified, but described as "critical")
## Affected Systems
- Products: jsPDF JavaScript library (Node.js builds)
- Versions: Affects methods like `loadFile`, `addImage`, `html`, and `addFont`.
- Configurations: Systems utilizing these specific methods with unsanitized user input for file paths.
## Vulnerability Description
A path traversal and local file inclusion (LFI) vulnerability exists in the Node.js builds of jsPDF. Unsanitized user input used as file paths in vulnerable methods allows attackers to read arbitrary server files and embed their contents into generated PDFs.
## Exploitation
- Status: PoC available (Inferred from context regarding "nearly 100 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC)")
- Complexity: Low to Moderate (Requires supplying malicious input to a specific function).
- Attack Vector: Network (via input submission)
## Impact
- Confidentiality: High (Unauthorized file reading)
- Integrity: Moderate (Content embedding)
- Availability: Low to Medium
## Remediation
### Patches
- Details not provided in the text. Update to jsPDF versions with input sanitization recommendations.
### Workarounds
- Ensure all file path inputs processed by `loadFile`, `addImage`, `html`, and `addFont` methods are strictly validated and sanitized on the server side.
## Detection
- Monitor for file reading operations originating from PDF generation processes involving user-supplied paths.
## References
- Vendor advisory for jsPDF updates.
***
# Vulnerability: HPE OneView Code Injection (CISA KEV)
## CVE Details
- CVE ID: CVE-2025-37164
- CVSS Score: 10.0
- CWE: Code Injection
## Affected Systems
- Products: HPE OneView IT infrastructure management software
- Versions: Up to version 10.20
- Configurations: N/A
## Vulnerability Description
A maximum-severity Code Injection vulnerability allows remote code execution within the HPE OneView software.
## Exploitation
- Status: PoC available (Publicly available since last month) and added to CISA KEV.
- Complexity: Not explicitly stated, but critical score and direct RCE suggest lower complexity for exploitation.
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Update HPE OneView beyond version 10.20. Check HPE advisories for specific patched versions.
### Workarounds
- Focus on network segmentation to isolate HPE OneView management plane access.
## Detection
- Monitor network traffic reaching the HPE OneView management interface for payloads characteristic of code injection attempts.
## References
- CISA KEV Catalog entry.
- HPE Security Advisory for CVE-2025-37164.
***
# Vulnerability: IBM API Connect Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-13915
- CVSS Score: Critical (Severity not numerically specified, but described as "critical")
## Affected Systems
- Products: IBM API Connect
- Versions: Not specified, but affects versions susceptible to the bypass.
- Configurations: N/A
## Vulnerability Description
A critical authentication bypass vulnerability allows remote, unauthenticated attackers to circumvent authentication controls and gain unauthorized access to sensitive API management functions.
## Exploitation
- Status: Notable discussion in open-source communities. Exploitation likely feasible.
- Complexity: Not explicitly stated, but unauthenticated access implies low barrier.
- Attack Vector: Network
## Impact
- Confidentiality: High (Access to sensitive API management functions)
- Integrity: High
- Availability: High
## Remediation
### Patches
- Details not provided in the text. Check IBM security bulletins immediately.
### Workarounds
- Implement strict ingress controls and rate limiting at the network edge protecting API Connect endpoints.
## Detection
- Monitor for successful authentication attempts originating from unauthorized or unexpected IP addresses/clients accessing API management interfaces.
## References
- IBM Security Advisory for CVE-2025-13915.
***
# Vulnerability: SmarterMail Unauthenticated Arbitrary File Upload
## CVE Details
- CVE ID: CVE-2025-52691
- CVSS Score: Maximum Severity (Implies CVSS 10.0 based on context, though not explicitly scored in text)
## Affected Systems
- Products: SmarterMail email servers
- Versions: Before Build 9413
- Configurations: N/A
## Vulnerability Description
A maximum-severity unauthenticated arbitrary file upload vulnerability exists. Remote attackers can upload malicious files to any server location without credentials, leading to potential Remote Code Execution (RCE), server compromise, data theft, or ransomware deployment.
## Exploitation
- Status: Attracts attention due to high potential impact and unauthenticated nature.
- Complexity: Low (Unauthenticated network access is sufficient).
- Attack Vector: Network
## Impact
- Confidentiality: Critical
- Integrity: Critical
- Availability: Critical
## Remediation
### Patches
- Upgrade SmarterMail to Build 9413 or newer.
### Workarounds
- Restrict external access to web-facing SmarterMail components if immediate patching is impossible.
## Detection
- Monitor file system activity for the creation of unexpected or executable files in web application directories or system locations.
## References
- SmarterMail security advisory related to Build 9413.
***
# ICS Vulnerability: Mitsubishi Electric Air Conditioning Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-3699
- CVSS Score: N/A (Scoring not listed, but described as allowing "full control")
## Affected Systems
- Products: Mitsubishi Electric Air Conditioning Systems
- Versions: Multiple versions affected
- Configurations: N/A
## Vulnerability Description
A Missing Authentication for Critical Function vulnerability allows an attacker to bypass authentication entirely, gaining full control over the air conditioning system.
## Exploitation
- Status: Not explicitly mentioned, but high impact warrants proactive patching.
- Complexity: Not explicitly stated.
- Attack Vector: Network (implied for ICS operations).
## Impact
- Confidentiality: Medium (Access to configuration files/credentials)
- Integrity: Critical (Manipulation of environmental conditions)
- Availability: Critical (Equipment overheating, production downtime)
## Remediation
### Patches
- Consult Mitsubishi Electric for patches specific to the affected AC system model and version.
### Workarounds
- Implement network segmentation to restrict access to the ICS network segment controlling the AC systems. Leverage strong perimeter defenses.
## Detection
- Monitor control system network traffic for configuration changes or anomalous operational commands directed at the AC units.
## References
- Mitsubishi Electric ICS security advisories.
***
# Historical/KEV Vulnerabilities (For Context/Priority)
| CVE ID | Severity (CVSS) | Product/Description | Status/Notes |
| :--- | :--- | :--- | :--- |
| **CVE-2025-37164** | 10.0 | HPE OneView (Up to 10.20) Code Injection | CISA KEV; Public PoC available. |
| **CVE-2009-0556** | 9.3 | Microsoft Office PowerPoint (Various older versions) Code Injection | CISA KEV; First exploited in 2009. |
| **CVE-2018-4063** | N/A | Sierra Wireless AirLink ES450 FW 4.9.3 RCE (upload.cgi) | CISA KEV; Attacks detected on OT perimeter devices. |
| **CVE-2020-36923** | Medium | Sony BRAVIA Digital Signage 1.7.8 IDOR | Allows access to hidden resources like '/\#/content-creation'. |
| **CVE-2025-68668**| 9.9 | n8n workflow automation platform (Python Code Node w/ Pyodide) Sandbox Bypass | High severity finding discussed in open source. |