Full Report
Cyble Vulnerability Intelligence researchers tracked 1,128 vulnerabilities in the last week, more than 138 already have a publicly available Proof-of-Concept (PoC), significantly raising the chances of real-world attacks. A total of 67 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 22 received a critical severity rating based on the newer CVSS v4.0 scoring system. Here are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. The Week’s Top IT Vulnerabilities CVE-2025-55754 is an Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Successful exploitation could potentially lead to indirect administrative command execution through console manipulation, risking system integrity and confidentiality if administrators are tricked into executing malicious commands. CVE-2025-59287 continues to attract the interest of threat actors on underground forums monitored by Cyble, and last week CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued a separate alert on the Microsoft out-of-band security update. The critical remote code execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS) could allow unauthenticated attackers to execute arbitrary code remotely by exploiting publicly accessible WSUS servers on default TCP ports, potentially enabling lateral movement within enterprise environments. Other vulnerabilities added to the CISA KEV catalog in the last week include: CVE-2025-54236, also known as "SessionReaper," is a critical vulnerability affecting Adobe Commerce and Magento Open Source platforms. The flaw stems from improper input validation in the Commerce REST API, potentially allowing remote unauthenticated attackers to hijack customer accounts and, under some configurations, achieve remote code execution (RCE). CVE-2025-41244, a local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools. A local threat actor with non-administrative privileges, with access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled, could potentially exploit the vulnerability to escalate privileges to root on the same VM. CVE-2025-24893, a code injection vulnerability affecting the XWiki Platform. Any guest can perform arbitrary remote code execution through a request to ‘SolrSearch,’ impacting the confidentiality, integrity, and availability of the entire XWiki installation. Cyble first detected attack attempts on the vulnerability in March. One of the week’s highest-rated vulnerabilities is, fortunately, one that was fixed for users. CVE-2025-59503 is a 9.9-rated Server-Side Request Forgery (SSRF) vulnerability affecting the Microsoft Azure Compute Resource Provider, specifically the Azure Compute Gallery, that could have allowed an authorized attacker to perform SSRF attacks. The issue has been fixed by Microsoft, which had not detected any attacks on the vulnerability as of the time of publication. CVE-2025-55315 is generating significant interest in open-source communities. The 9.9-rated vulnerability in ASP.NET Core, specifically in the Kestrel web server component, involves an inconsistent interpretation of HTTP requests, leading to HTTP request/response smuggling. This flaw could allow an authorized attacker to bypass security features over a network by smuggling an extra HTTP request inside another, potentially enabling actions that would normally require authentication. Vulnerabilities Under Discussion on Underground Forums Cyble dark web researchers observed threat actors on the dark web and underground forums discussing weaponizing multiple vulnerabilities. They include: CVE-2025-61984: A vulnerability in OpenSSH (versions prior to 10.1) related to command injection via the ProxyCommand feature when an attacker is able to supply a specially crafted username containing control characters (such as a newline followed by a payload). This could lead to remote code execution on the client system in a specific scenario. CVE-2025-40778: A high-severity vulnerability affecting BIND 9 DNS resolvers, widely used open-source DNS software. The flaw arises because BIND 9 is too lenient under certain conditions when accepting records in DNS responses, potentially allowing remote, unauthenticated attackers to inject forged DNS records into the resolver's cache via cache poisoning attacks. This could enable attackers to redirect Internet traffic to malicious sites, distribute malware, intercept network traffic, or disrupt services by supplying attacker-controlled DNS responses. CVE-2025-30247: A critical OS command injection vulnerability affecting Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms. The vulnerability could allow remote attackers to execute arbitrary system commands via a specially crafted HTTP POST request to the device's web interface, without requiring authentication or user interaction. CVE-2025-9242: A critical out-of-bounds write vulnerability affecting WatchGuard Fireware OS, specifically the iked process that handles IKEv2 VPN services. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code on vulnerable devices, potentially leading to full system compromise. CVE-2025-49844: Also known as "RediShell," a critical remote code execution (RCE) vulnerability in the Redis in-memory data store. It is a use-after-free memory corruption bug affecting Redis versions with Lua scripting (up to version 8.2.1). This vulnerability could allow an authenticated user to send a specially crafted Lua script that manipulates the garbage collector and triggers a use-after-free condition, potentially enabling the attacker to escape the Lua sandbox and execute arbitrary native code on the host system. ICS Vulnerabilities Cyble vulnerability researchers also flagged three industrial control system (ICS) vulnerabilities at risk of exploitation. They include: CVE-2025-9574, a 9.9-rated Missing Authentication for Critical Function vulnerability affecting ASKI Energy’s ALS-mini-s4 IP (serial number from 2000 to 5166) and ALS-mini-s8 IP (serial number from 2000 to 5166). Successful exploitation of the vulnerability could allow an attacker to gain full control over the device. CVE-2025-58428, a Command Injection vulnerability affecting Veeder-Root TLS4B versions prior to 11.A. The 9.9-rated flaw could allow an attacker to achieve remote command execution, full shell access, and potential lateral movement within the network. CVE-2024-11737, a 9.3-rated Improper Input Validation vulnerability affecting Schneider Electric Modicon Controllers M241 (versions prior to 5.2.11.29), Modicon Controllers M251 (versions prior to 5.2.11.29), Modicon Controllers M258 (versions prior to 5.0.4.19), and Modicon Controllers LMC058 (versions prior to 5.0.4.19). The flaw could allow an attacker to achieve remote command execution, full shell access, and potential lateral movement within the network. Conclusion The high number of critical and exploited vulnerabilities this week highlights the need for security teams to be able to respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. The post The Week in Vulnerabilities: Cyble Urges Apache, Microsoft Fixes appeared first on Cyble.
Analysis Summary
As a vulnerability research specialist, below is the summarized, actionable intelligence on the tracked vulnerabilities:
---
# Vulnerability: Apache Tomcat Indirect Command Execution
## CVE Details
- CVE ID: CVE-2025-55754
- CVSS Score: N/A (Severity derived from context: Risk to system integrity/confidentiality)
- CWE: Improper Neutralization of Escape, Meta, or Control Sequences
## Affected Systems
- Products: Apache Tomcat
- Versions: Not specified (All versions susceptible to this flaw)
- Configurations: Relates to console manipulation.
## Vulnerability Description
This is an Improper Neutralization of Escape, Meta, or Control Sequences vulnerability. Successful exploitation could lead to **indirect administrative command execution** if administrators are tricked into executing malicious commands via console manipulation.
## Exploitation
- Status: PoC publicly available (Inferred from initial summary: >138 have PoC)
- Complexity: Medium (Requires tricking an administrator)
- Attack Vector: Network, likely requiring user interaction (console manipulation)
## Impact
- Confidentiality: Risk due to potential command execution.
- Integrity: High risk of successful indirect command execution.
- Availability: Potential loss of availability if system commands are executed.
## Remediation
### Patches
- Patch information not explicitly mentioned, users should check the latest Apache Tomcat security advisories.
### Workarounds
- Review and restrict access controls related to the Tomcat console management interface.
## Detection
- Monitor logs for unusual administrative actions initiated via the console or via unexpected input sequences.
## References
- Vendor advisories for Apache Tomcat.
---
# Vulnerability: Microsoft WSUS Critical RCE (CISA KEV)
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: Critical (Inferred from context: CISA KEV addition)
- CWE: Not specified
## Affected Systems
- Products: Microsoft Windows Server Update Services (WSUS)
- Versions: Not specified (Implied older/unpatched versions)
- Configurations: Exploitable on publicly accessible WSUS servers running on default TCP ports.
## Vulnerability Description
A critical Remote Code Execution (RCE) vulnerability within Microsoft WSUS. Unauthenticated attackers can execute arbitrary code remotely.
## Exploitation
- Status: **Known Exploited in the Wild (CISA KEV cataloged)**
- Complexity: Low (Unauthenticated access to public ports)
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary code execution)
- Integrity: High (Arbitrary code execution)
- Availability: High (Potential system compromise)
## Remediation
### Patches
- Apply the Microsoft out-of-band security update referenced in the CISA alert.
### Workarounds
- Restrict network access to WSUS ports (e.g., block inbound access from the internet/untrusted zones).
## Detection
- Monitor for anomalous processes or network connections originating from WSUS servers.
## References
- CISA KEV Catalog.
- Microsoft out-of-band security update documentation.
---
# Vulnerability: Adobe Commerce/Magento Session Hijacking & RCE (CISA KEV)
## CVE Details
- CVE ID: CVE-2025-54236
- CVSS Score: Critical (Inferred from context: CISA KEV addition)
- CWE: Improper Input Validation
## Affected Systems
- Products: Adobe Commerce and Magento Open Source platforms
- Versions: Not specified
- Configurations: Flaw exists in the Commerce REST API.
## Vulnerability Description
Known as "SessionReaper," this critical vulnerability stems from improper input validation in the Commerce REST API. Remotely, unauthenticated attackers can hijack customer accounts, and in some configurations, achieve Remote Code Execution (RCE).
## Exploitation
- Status: **Known Exploited (CISA KEV cataloged)**
- Complexity: Medium (Remote, unauthenticated access to API)
- Attack Vector: Network
## Impact
- Confidentiality: High (Account hijacking)
- Integrity: High (Potential RCE)
- Availability: Moderate
## Remediation
### Patches
- Apply relevant Adobe security updates addressing this vulnerability.
### Workarounds
- Restrict or monitor traffic to the Commerce REST API endpoint if patching is delayed.
## Detection
- Monitor for unauthorized account access or changes originating from API calls.
## References
- CISA KEV Catalog.
- Adobe Commerce Security Advisories.
---
# Vulnerability: VMware Aria Operations/Tools LPE (CISA KEV)
## CVE Details
- CVE ID: CVE-2025-41244
- CVSS Score: High Severity (Inferred from context: CISA KEV addition)
- CWE: Local Privilege Escalation vulnerability
## Affected Systems
- Products: VMware Aria Operations and VMware Tools
- Versions: Not specified
- Configurations: Requires a local, non-administrative actor on a VM that has VMware Tools installed and is managed by Aria Operations where **SDMP is enabled**.
## Vulnerability Description
A local privilege escalation flaw. A local, unprivileged attacker on a configured VM can escalate their privileges to **root** on that same VM.
## Exploitation
- Status: **Known Exploited (CISA KEV cataloged)**
- Complexity: Medium (Requires existing local access)
- Attack Vector: Local
## Impact
- Confidentiality: High (Root access allows data exfiltration)
- Integrity: High (Root access allows system modification)
- Availability: High
## Remediation
### Patches
- Apply VMware security updates for Aria Operations and VMware Tools.
### Workarounds
- Ensure only necessary systems have SDMP enabled where applicable, pending patching.
## Detection
- Monitor for privilege escalation attempts within VMs managed by Aria, specifically looking for root access achieved by non-root users.
## References
- CISA KEV Catalog.
- VMware Security Advisories.
---
# Vulnerability: XWiki Platform Code Injection (CISA KEV)
## CVE Details
- CVE ID: CVE-2025-24893
- CVSS Score: Critical (Inferred from context: CISA KEV addition mentioned)
- CWE: Code Injection
## Affected Systems
- Products: XWiki Platform
- Versions: Not specified
- Configurations: Exploitable via a request to the `/SolrSearch` endpoint.
## Vulnerability Description
A code injection vulnerability allowing any guest user to perform arbitrary **Remote Code Execution (RCE)** by sending a crafted request to the `/SolrSearch` endpoint. Attack attempts detected since March.
## Exploitation
- Status: **Being actively exploited (CISA KEV addition, attack attempts noted since March)**
- Complexity: Low (Guest access, request-based)
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High (Arbitrary RCE)
- Availability: High
## Remediation
### Patches
- Apply XWiki Platform security patches.
### Workarounds
- Implement WAF rules to block suspicious requests targeting the `/SolrSearch` endpoint, specifically looking for known injection vectors (if available in vendor guidance).
## Detection
- Monitor web server/application logs for unusual requests to `/SolrSearch`.
## References
- CISA KEV Catalog.
- XWiki Platform Security Advisories.
---
# Vulnerability: Azure Compute Gallery SSRF (Previously Fixed)
## CVE Details
- CVE ID: CVE-2025-59503
- CVSS Score: 9.9 (Critical)
- CWE: Server-Side Request Forgery (SSRF)
## Affected Systems
- Products: Microsoft Azure Compute Resource Provider (Azure Compute Gallery)
- Versions: Not specified
- Configurations: Required an authorized attacker.
## Vulnerability Description
A high-rated SSRF vulnerability affecting the Azure Compute Gallery. An authorized user could perform SSRF attacks against internal Azure services.
## Exploitation
- Status: **Fixed by Vendor** (No attacks detected at time of publication)
- Complexity: Medium (Requires authorization)
- Attack Vector: Network
## Impact
- Confidentiality: High (If SSRF leads to internal credential access)
- Integrity: Moderate
- Availability: Moderate
## Remediation
### Patches
- Issue has been fixed by Microsoft. Ensure environments are updated to the latest service level.
### Workarounds
- None required if patched; this vulnerability is generally mitigated by the vendor fix.
## Detection
- N/A (Fixed)
## References
- Microsoft Security Update Guide for CVE-2025-59503.
---
# Vulnerability: ASP.NET Core Kestrel HTTP Request Smuggling
## CVE Details
- CVE ID: CVE-2025-55315
- CVSS Score: 9.9 (Critical)
- CWE: Inconsistent Interpretation of HTTP Requests
## Affected Systems
- Products: ASP.NET Core (Kestrel web server component)
- Versions: Not specified
- Configurations: Affects how HTTP requests are parsed across networked boundaries.
## Vulnerability Description
HTTP request/response smuggling caused by an inconsistent interpretation of HTTP requests between the Kestrel web server and downstream components. This allows an authorized attacker to smuggle an extra HTTP request inside another to bypass security features or authentication checks over a network.
## Exploitation
- Status: PoC generating interest in open-source communities.
- Complexity: High (Requires precise timing and understanding of front/back-end parsing)
- Attack Vector: Network
## Impact
- Confidentiality: High (Authentication bypass)
- Integrity: High (Bypassing security measures)
- Availability: Moderate
## Remediation
### Patches
- Apply relevant ASP.NET Core updates addressing Kestrel parsing inconsistencies.
### Workarounds
- None specified, patching is critical as this bypasses security features.
## Detection
- Monitor HTTP request sequencing for malformed or unexpected request termination patterns.
## References
- ASP.NET Core Security Advisories concerning Kestrel smuggling.
---
# Vulnerability Discussed on Underground Forums (High Concern)
This section details vulnerabilities observed being actively discussed for weaponization:
| CVE | Product | Severity (Inferred) | Technical Description | Exploitation Status/PoC | Affected Config |
| :--- | :--- | :--- | :--- | :--- | :--- |
| **CVE-2025-61984** | OpenSSH (pre-10.1) | High | Command Injection via `ProxyCommand` triggered by specially crafted username containing control characters (e.g., newline). | Discussed for RCE | Requires attacker to supply username |
| **CVE-2025-40778** | BIND 9 DNS resolvers | High | Lenient handling of DNS records allows remote, unauthenticated attackers to perform **cache poisoning**. | Discussed for exploitation | Under specific conditions when accepting records |
| **CVE-2025-30247** | Western Digital My Cloud firmware | Critical | OS Command Injection via a specially crafted HTTP POST request to the web interface. | Discussed for exploitation | Prior to 5.31.108; Unauthenticated access to web interface |
| **CVE-2025-9242** | WatchGuard Fireware OS (`iked`) | Critical | Out-of-bounds Write vulnerability related to IKEv2 VPN services. | Discussed for exploitation | Targetting the `iked` process |
| **CVE-2025-49844** | Redis (up to 8.2.1) | Critical (RCE) | Use-after-free memory corruption bug ("RediShell") triggered by authenticated users sending malicious Lua scripts to manipulate the garbage collector, potentially escaping the sandbox. | Discussed for exploitation | Requires authentication and Lua scripting enabled |
## Mitigation Strategy for Discussed Flaws (General)
1. **Prioritize Patching:** Immediately patch OpenSSH (10.1+), BIND 9, Western Digital firmware (5.31.108+), WatchGuard Fireware OS, and Redis (8.2.2+ if applicable).
2. **Network Segmentation:** Segment critical infrastructure, especially DNS resolvers (BIND) and VPN endpoints (WatchGuard).
3. **Access Control:** Review authentication requirements for Redis instances; if possible, restrict network access for systems susceptible to cache poisoning (BIND).
---
# ICS Vulnerabilities
| CVE | CVSS Score | Product | Technical Description | Exploitation Status | Potential Impact |
| :--- | :--- | :--- | :--- | :--- | :--- |
| **CVE-2025-9574** | 9.9 (Critical) | ASKI Energy ALS-mini-s4 IP & ALS-mini-s8 IP | Missing Authentication for Critical Function. | High Risk | Full device control. |
| **CVE-2025-58428** | 9.9 (Critical) | Veeder-Root TLS4B | Command Injection vulnerability. | High Risk | Remote Command Execution, full shell access. |
| **CVE-2024-11737** | 9.3 (High) | Schneider Electric Modicon Controllers (M241, M251, M258, LMC058) | Improper Input Validation. | High Risk | Remote Command Execution, full shell access. |
## ICS Remediation & Detection
1. **Immediate Patching:** Apply vendor updates for all listed ICS products (Versions prior to 11.A for TLS4B, prior to 5.2.11.29/5.0.4.19 for Schneider).
2. **Network Isolation:** Ensure these ICS devices are fully segmented from corporate or public networks (Defense-in-Depth for OT).
3. **Monitoring:** Monitor network traffic targeting the management interfaces of these devices for unexpected commands or configuration requests.
---
## Overall Summary & Risk Posture
The last week presents a high-risk environment: **Over 138 vulnerabilities have publicly available PoCs**, and systems from major vendors (Microsoft, VMware, Adobe) have been added to the **CISA KEV catalog**, indicating active exploitation. Security teams must prioritize patching known-exploited (KEV) items first, followed closely by any vulnerabilities rated 9.9 across IT and ICS environments.