Full Report
Cyble Vulnerability Intelligence researchers tracked 826 vulnerabilities in the last week, and more than 130 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. A total of 81 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 12 received a critical severity rating based on the newer CVSS v4.0 scoring system. What follows are 15 IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers as meriting high-priority attention by security teams, including seven vulnerabilities under discussion by threat actors on the dark web. The Week’s Top IT Vulnerabilities CVE-2025-59367 is an authentication bypass vulnerability identified in certain ASUS DSL series routers. The flaw could potentially allow remote attackers to gain unauthorized access to affected systems without requiring any privileges or user interaction. CVE-2025-62215 is a race condition vulnerability in the Windows Kernel caused by improper synchronization when multiple threads access shared kernel resources concurrently. The flaw could allow an authorized local attacker to escalate privileges to the SYSTEM level by exploiting this race condition. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-64446 is a critical path traversal vulnerability in Fortinet FortiWeb, a web application firewall used to protect web applications. The vulnerability has been actively exploited in the wild since at least early October 2025, allowing unauthenticated remote attackers to create unauthorized administrative accounts on vulnerable devices by sending crafted HTTP POST requests that exploit relative path traversal. It also has been added to the CISA KEV catalog. CVE-2025-58034 is a high-severity OS command injection vulnerability in Fortinet FortiWeb. The flaw could allow an authenticated attacker to execute unauthorized operating system commands through crafted HTTP requests or CLI commands. The vulnerability has also been added to the CISA KEV catalog. CVE-2025-11001 is a high-severity remote code execution (RCE) vulnerability in the popular file archiving software 7-Zip. It arises from a flaw in the way 7-Zip parses ZIP file directories, potentially allowing an attacker to craft a malicious archive that triggers a directory traversal. Proof-of-concept exploits have been publicly released, making it easier for attackers to weaponize. Vulnerabilities Under Discussion on the Dark Web Cyble dark web researchers observed threat actors on underground and cybercrime forums discussing weaponizing several vulnerabilities, among them: CVE-2025-64495: A high-severity stored DOM-based Cross-Site Scripting (XSS) vulnerability in Open WebUI, a self-hosted artificial intelligence platform, affecting versions 0.6.34 and below. The vulnerability exists in the chat window's prompt insertion feature, where user-controlled HTML from custom prompts is assigned directly to the DOM sink .innerHTML without proper sanitization when the "Insert Prompt as Rich Text" setting is enabled. While the marked library is used to parse the content, it does not sanitize HTML, potentially allowing attackers with low-level privileges to create malicious prompts containing JavaScript payloads that execute when other users insert those prompts via slash commands. CVE-2025-60710: A high-severity local privilege escalation vulnerability in the Host Process for Windows Tasks affecting Microsoft Windows 11 Version 25H2 (build 10.0.26200.0). The vulnerability involves improper link resolution before file access. The flaw potentially allows an authorized attacker with limited local privileges to exploit improper handling of symbolic links or junction points in the Host Process for Windows Tasks, redirecting file operations to unintended locations and escalating their privileges. CVE-2025-26686: A Windows TCP/IP remote code execution (RCE) vulnerability caused by sensitive data being stored in improperly locked memory, potentially allowing a network attacker to execute arbitrary code when specific network traffic (notably DHCPv6) is processed on affected Windows systems. CVE-2025-10230: A 10.0-severity unauthenticated remote command execution vulnerability in Samba’s WINS “wins hook” handling on Active Directory Domain Controllers, exploitable over the network with no user interaction when a specific, legacy WINS configuration is enabled. CVE-2025-12101: A medium-severity reflected cross-site scripting (XSS) vulnerability in Citrix NetScaler ADC and NetScaler Gateway when configured as a Gateway or AAA virtual server, affecting SSO flows and potentially allowing attacker-controlled JavaScript execution in a victim’s browser. CVE-2025-59118: A high-severity unrestricted file upload vulnerability in Apache OFBiz before 24.09.03 that can be leveraged for unauthenticated remote code execution on affected servers. The flaw potentially allows a remote attacker to upload arbitrary files of dangerous types (for example, scripts or binaries) because OFBiz does not properly restrict or validate uploaded content in the vulnerable path. CVE-2025-21042: A high-severity out‑of‑bounds write vulnerability in Samsung’s libimagecodec.quram.so image‑processing library that allows remote, often zero‑click, arbitrary code execution on affected Galaxy devices and has been exploited in the wild to deploy the LANDFALL Android spyware. ICS Vulnerabilities Cyble threat intelligence researchers also flagged three industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. CVE-2025-58083 affects the General Industrial Controls Lynx+ Gateway, an industrial protocol converter and gateway device designed to connect and enable seamless communication between different industrial network devices. The embedded web server of this device lacks essential authentication protection for critical functions, potentially allowing an unauthenticated remote attacker to reset the device without user interaction. CVE-2025-11862 is an Incorrect Authorization vulnerability in multiple versions of Rockwell Automation Verve Asset Manager. Successful exploitation of this vulnerability could allow an attacker to access or alter user data. CVE-2025-41733 is an Authentication Bypass vulnerability affecting multiple versions of METZ CONNECT EWIO2. Successful exploitation could allow an attacker to bypass authentication and remotely control the device or execute remote code. Conclusion The high number of critical and exploited vulnerabilities in this week’s report underscores the ever-present threats facing security teams, who must respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. The post The Week in Vulnerabilities: Cyble Urges Fortinet, Microsoft Fixes appeared first on Cyble.
Analysis Summary
# Weekly Vulnerability Summary Report (Based on Cyble Intelligence)
Overall context: 826 vulnerabilities tracked last week; over 130 have public PoCs. 81 rated critical (CVSS v3.1); 12 rated critical (CVSS v4.0). 15 vulnerabilities demand high-priority security attention, including 7 actively discussed by threat actors on the dark web.
---
# Vulnerability: ASUS DSL Router Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-59367
- CVSS Score: Not explicitly provided in the text. (Implied high risk due to unauthenticated access)
- CWE: Authentication Bypass
## Affected Systems
- Products: ASUS DSL series routers (Certain models)
- Versions: Not specified.
- Configurations: Not specified.
## Vulnerability Description
An authentication bypass vulnerability exists, potentially allowing remote, unauthenticated attackers to gain unauthorized access to affected router systems without requiring any privileges or user interaction.
## Exploitation
- Status: Not explicitly stated as being exploited, but risk is high due to lack of authentication requirement.
- Complexity: Likely Low (Remote, unauthenticated).
- Attack Vector: Network
## Impact
- Confidentiality: High (Unauthorized access)
- Integrity: High (Unauthorized access can lead to configuration changes)
- Availability: Potential impact depending on control gained.
## Remediation
### Patches
- [Vendor patches are required. Check ASUS security advisories for specific models.]
### Workarounds
- [N/A cited]
## Detection
- [Monitor for suspicious remote login attempts to the router management interface.]
## References
- [N/A cited]
---
# Vulnerability: Windows Kernel Race Condition Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-62215
- CVSS Score: Not explicitly provided in the text.
- CWE: Race Condition
## Affected Systems
- Products: Windows Kernel (Microsoft Windows)
- Versions: Not specified (Implied impact across affected Windows versions).
- Configurations: Requires an authorized local attacker context.
## Vulnerability Description
A race condition vulnerability exists in the Windows Kernel due to improper synchronization when multiple threads concurrently access shared kernel resources. This can be exploited by an authorized local attacker to escalate privileges up to the SYSTEM level.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog).
- Complexity: Medium (Requires local access but leads to SYSTEM privileges).
- Attack Vector: Local
## Impact
- Confidentiality: High (SYSTEM access)
- Integrity: High (SYSTEM access)
- Availability: Potential impact.
## Remediation
### Patches
- [Microsoft security updates addressing CVE-2025-62215.]
- **Action Required:** As this is on the CISA KEV catalog, immediate patching is critical.
### Workarounds
- [N/A cited]
## Detection
- [Monitor for local privilege escalation attempts targeting kernel objects or processes associated with concurrent access patterns.]
## References
- [CISA KEV Catalog entry for CVE-2025-62215]
---
# Vulnerability: Fortinet FortiWeb Unauthenticated Path Traversal RCE
## CVE Details
- CVE ID: CVE-2025-64446
- CVSS Score: Critical (Implied by text description, likely N/A or high under CVSS v3.1/v4.0)
- CWE: Path Traversal
## Affected Systems
- Products: Fortinet FortiWeb (Web Application Firewall)
- Versions: Not specified.
- Configurations: Standard deployment exposing management/web interfaces.
## Vulnerability Description
A critical relative path traversal vulnerability allows unauthenticated remote attackers to create unauthorized administrative accounts. This is achieved by sending crafted HTTP POST requests that exploit the path traversal flaw.
## Exploitation
- Status: Actively exploited in the wild since early October 2025 (Added to CISA KEV catalog).
- Complexity: Low (Unauthenticated Remote).
- Attack Vector: Network
## Impact
- Confidentiality: High (Administrative access)
- Integrity: Critical (Administrative control)
- Availability: High (Full device compromise)
## Remediation
### Patches
- [Fortinet security updates addressing CVE-2025-64446.]
- **Action Required:** As this is on the CISA KEV catalog and actively exploited, immediate patching is mandatory.
### Workarounds
- [N/A cited]
## Detection
- [Monitor ingress traffic for HTTP POST requests targeting FortiWeb interfaces containing path traversal sequences (e.g., `../`) that attempt to write or create files/users.]
## References
- [CISA KEV Catalog entry for CVE-2025-64446]
---
# Vulnerability: Fortinet FortiWeb OS Command Injection
## CVE Details
- CVE ID: CVE-2025-58034
- CVSS Score: High-severity (Implied)
- CWE: OS Command Injection
## Affected Systems
- Products: Fortinet FortiWeb
- Versions: Not specified.
- Configurations: Requires prior successful authentication.
## Vulnerability Description
An OS command injection vulnerability allows an authenticated attacker to execute unauthorized operating system commands via crafted HTTP requests or CLI commands against the FortiWeb appliance.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog).
- Complexity: Medium (Requires prior authentication).
- Attack Vector: Network/Local Interface Access
## Impact
- Confidentiality: High (OS command execution)
- Integrity: Critical (OS command execution)
- Availability: High (System compromise)
## Remediation
### Patches
- [Fortinet security updates addressing CVE-2025-58034.]
- **Action Required:** As this is on the CISA KEV catalog, immediate patching is critical.
### Workarounds
- [N/A cited]
## Detection
- [Monitor authentication logs for user accounts accessing the CLI or HTTP interfaces, followed by command injection payloads in subsequent requests.]
## References
- [CISA KEV Catalog entry for CVE-2025-58034]
---
# Vulnerability: 7-Zip Directory Traversal RCE/PoC
## CVE Details
- CVE ID: CVE-2025-11001
- CVSS Score: High-severity (Implied)
- CWE: Directory Traversal (Related to ZIP parsing vulnerability)
## Affected Systems
- Products: 7-Zip (File archiving software)
- Versions: Not specified.
- Configurations: Systems processing crafted ZIP files.
## Vulnerability Description
A flaw exists in how 7-Zip parses ZIP file directories, which can be triggered when processing a maliciously crafted archive. This leads to a directory traversal, potentially resulting in Remote Code Execution (RCE).
## Exploitation
- Status: PoC exploits have been publicly released.
- Complexity: Low/Medium (If a user opens a malicious file).
- Attack Vector: Generally File-based, can lead to remote if the file is delivered over a network service.
## Impact
- Confidentiality: High (RCE)
- Integrity: High (RCE)
- Availability: High (RCE leading to system takeover)
## Remediation
### Patches
- [7-Zip security updates addressing CVE-2025-11001.]
### Workarounds
- **Mitigation:** Avoid opening or extracting ZIP files from untrusted sources. Consider using sandboxed environments for file processing if necessary.
## Detection
- [Endpoint detection systems looking for memory corruption or unusual process execution originating from 7-Zip processes accessing system directories.]
## References
- [N/A cited]
---
# Vulnerability: Open WebUI Stored XSS (Dark Web Discussion)
## CVE Details
- CVE ID: CVE-2025-64495
- CVSS Score: High-severity (Implied)
- CWE: Stored DOM-based Cross-Site Scripting (XSS)
## Affected Systems
- Products: Open WebUI (Self-hosted AI platform)
- Versions: 0.6.34 and below.
- Configurations: Vulnerable when the "Insert Prompt as Rich Text" setting is enabled.
## Vulnerability Description
A high-severity stored DOM-based XSS exists in the chat window's prompt insertion feature. User-controlled HTML from custom prompts is inserted directly into the DOM (`.innerHTML`) without sanitation when the rich text setting is active, allowing low-privileged attackers to execute JavaScript payloads when other users insert these prompts via slash commands.
## Exploitation
- Status: Under discussion by threat actors on the dark web.
- Complexity: Medium (Requires low-level privileges to create the malicious prompt, but execution is stored).
- Attack Vector: Adjacent/Local Privilege (via user interaction within the application).
## Impact
- Confidentiality: Medium/High (Session hijacking, data theft)
- Integrity: Medium/High (Executing actions on behalf of the victim user)
- Availability: Low
## Remediation
### Patches
- [Open WebUI updates addressing CVE-2025-64495. Update to version later than 0.6.34.]
### Workarounds
- **Mitigation:** Disable the "Insert Prompt as Rich Text" feature (if possible) until patching is complete. Ensure users trust prompts being inserted manually.
## Detection
- [Monitor application logs for unusual HTML content being saved as custom prompts.]
## References
- [N/A cited]
---
# Vulnerability: Microsoft Task Host Local Privilege Escalation (Dark Web Discussion)
## CVE Details
- CVE ID: CVE-2025-60710
- CVSS Score: High-severity (Implied)
- CWE: Improper Link Resolution Before File Access
## Affected Systems
- Products: Host Process for Windows Tasks
- Versions: Microsoft Windows 11 Version 25H2 (build 10.0.26200.0)
- Configurations: Requires authorization with limited local privileges.
## Vulnerability Description
Improper link resolution before file access in the Host Process for Windows Tasks allows an authorized local attacker to redirect file operations (via symbolic links or junction points) to unintended locations, leading to Local Privilege Escalation potentially to SYSTEM levels.
## Exploitation
- Status: Under discussion by threat actors on the dark web.
- Complexity: Medium (Requires local access).
- Attack Vector: Local
## Impact
- Confidentiality: High (SYSTEM access)
- Integrity: Critical (SYSTEM access)
- Availability: Potential impact.
## Remediation
### Patches
- [Microsoft security updates addressing CVE-2025-60710.]
### Workarounds
- [N/A cited]
## Detection
- [Monitor for processes associated with `taskhostw.exe` or related scheduling services making file operations that appear to traverse directories unexpectedly or access critical system directories.]
## References
- [N/A cited]
---
# Vulnerability: Windows TCP/IP RCE via Memory Exposure (Dark Web Discussion)
## CVE Details
- CVE ID: CVE-2025-26686
- CVSS Score: Not explicitly provided in the text. (Implied high RCE risk)
- CWE: Sensitive Data Exposure in Improperly Locked Memory
## Affected Systems
- Products: Microsoft Windows (TCP/IP stack component)
- Versions: Not specified.
- Configurations: Systems processing network traffic, notably DHCPv6 traffic.
## Vulnerability Description
Sensitive data is stored in memory that is improperly locked (unprotected) while the Windows TCP/IP stack processes specific network traffic (notably DHCPv6). A network attacker can exploit this weak memory locking to execute arbitrary code.
## Exploitation
- Status: Under discussion by threat actors on the dark web.
- Complexity: High (Requires precise network traffic manipulation).
- Attack Vector: Network
## Impact
- Confidentiality: Critical (RCE on the operating system)
- Integrity: Critical (RCE on the operating system)
- Availability: Critical (RCE on the operating system)
## Remediation
### Patches
- [Microsoft security updates addressing CVE-2025-26686.]
### Workarounds
- [N/A cited]
## Detection
- [Network monitoring for unusual or malformed DHCPv6 packets directed at target hosts.]
## References
- [N/A cited]
---
# Vulnerability: Samba WINS RCE on DCs (Dark Web Discussion)
## CVE Details
- CVE ID: CVE-2025-10230
- CVSS Score: Severity 10.0 (Critical)
- CWE: Remote Command Execution (Related to WINS Hook handling)
## Affected Systems
- Products: Samba (Specifically on Active Directory Domain Controllers)
- Versions: Not specified (Affects WINS "wins hook" handling).
- Configurations: Exploitable only when a specific, legacy WINS configuration is enabled.
## Vulnerability Description
An unauthenticated remote command execution vulnerability exists in Samba's handling of the WINS "wins hook." If the legacy WINS configuration is active on an Active Directory Domain Controller, an attacker can execute arbitrary commands over the network with no user interaction required.
## Exploitation
- Status: Under discussion by threat actors on the dark web.
- Complexity: Low (Unauthenticated, Remote, Network exploitable).
- Attack Vector: Network
## Impact
- Confidentiality: Critical (DC compromise)
- Integrity: Critical (DC compromise)
- Availability: Critical (DC compromise)
## Remediation
### Patches
- [Samba security updates addressing CVE-2025-10230.]
### Workarounds
- **Mitigation (Primary):** Ensure the legacy WINS configuration is disabled on all Active Directory Domain Controllers running Samba.
## Detection
- [Monitor network traffic directed at the WINS/NetBIOS ports for malicious command injection attempts if WINS is in use.]
## References
- [N/A cited]
---
# Vulnerability: Citrix NetScaler XSS (Dark Web Discussion)
## CVE Details
- CVE ID: CVE-2025-12101
- CVSS Score: Medium-severity (Implied)
- CWE: Reflected Cross-Site Scripting (XSS)
## Affected Systems
- Products: Citrix NetScaler ADC and NetScaler Gateway
- Versions: Not specified.
- Configurations: Must be configured as a Gateway or AAA virtual server supporting SSO flows.
## Vulnerability Description
A reflected XSS vulnerability affects SSO flows when NetScaler is configured as a Gateway or AAA virtual server. Successful exploitation allows an attacker to execute attacker-controlled JavaScript within a victim's browser session.
## Exploitation
- Status: Under discussion by threat actors on the dark web.
- Complexity: Medium (Requires user interaction/SSO flow trigger).
- Attack Vector: Network (Client-side execution)
## Impact
- Confidentiality: Medium (Session theft via XSS)
- Integrity: Medium (Executing actions in user context)
- Availability: Low
## Remediation
### Patches
- [Citrix security updates addressing CVE-2025-12101.]
### Workarounds
- [N/A cited]
## Detection
- [Monitor for unusual parameter values in authentication/SSO related requests hitting the NetScaler Gateway interface that contain script tags or encoding patterns.]
## References
- [N/A cited]
---
# Vulnerability: Apache OFBiz Unrestricted File Upload RCE (Dark Web Discussion)
## CVE Details
- CVE ID: CVE-2025-59118
- CVSS Score: High-severity (Implied)
- CWE: Unrestricted File Upload
## Affected Systems
- Products: Apache OFBiz
- Versions: Before 24.09.03.
- Configurations: Systems allowing file uploads via the vulnerable path.
## Vulnerability Description
A high-severity unrestricted file upload vulnerability exists because OFBiz fails to properly restrict or validate uploaded content in a specific path. This allows a remote attacker to upload arbitrary dangerous file types (scripts, binaries), leading to unauthenticated Remote Code Execution (RCE).
## Exploitation
- Status: Under discussion by threat actors on the dark web.
- Complexity: Medium (Requires finding the vulnerable upload path).
- Attack Vector: Network
## Impact
- Confidentiality: Critical (RCE)
- Integrity: Critical (RCE)
- Availability: Critical (RCE)
## Remediation
### Patches
- [Apache OFBiz security updates addressing CVE-2025-59118. Upgrade to version 24.09.03 or later.]
### Workarounds
- [N/A cited]
## Detection
- [Monitor uploaded files in web-accessible directories for suspicious executables or script extensions, especially if they bypass expected MIME-type checks.]
## References
- [N/A cited]
---
# Vulnerability: Samsung Image Codec Out-of-Bounds Write (Dark Web Discussion)
## CVE Details
- CVE ID: CVE-2025-21042
- CVSS Score: Severity 10.0 equivalent (Implied by zero-click/RCE potential)
- CWE: Out-of-Bounds Write
## Affected Systems
- Products: Samsung Galaxy devices (using libimagecodec.quram.so library)
- Versions: Not specified.
- Configurations: Devices processing malicious image files.
## Vulnerability Description
An out-of-bounds write vulnerability exists in Samsung’s `libimagecodec.quram.so` image-processing library. This allows for remote, often zero-click, arbitrary code execution on affected Galaxy devices. This flaw has been exploited in the wild to deploy the LANDFALL Android spyware.
## Exploitation
- Status: Exploited in the wild (Deployed LANDFALL spyware).
- Complexity: Low (Often zero-click).
- Attack Vector: Network (via viewing a crafted image).
## Impact
- Confidentiality: Critical (RCE/Spyware deployment)
- Integrity: Critical (RCE/Spyware deployment)
- Availability: Critical (RCE/Spyware deployment)
## Remediation
### Patches
- [Samsung security/firmware updates addressing CVE-2025-21042.]
### Workarounds
- **Mitigation:** Keep device software fully updated. Restrict applications that can process or open untrusted images.
## Detection
- [Endpoint monitoring on Galaxy devices searching for suspicious memory operations related to image processing libraries or the deployment of known spyware artifacts like 'LANDFALL'.]
## References
- [N/A cited]
---
# ICS Vulnerability: General Industrial Controls Lynx+ Gateway Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-58083
- CVSS Score: Not explicitly provided. (Implied high risk due to unauthenticated reset)
- CWE: Authentication Bypass
## Affected Systems
- Products: General Industrial Controls Lynx+ Gateway (Industrial protocol converter/gateway)
- Versions: Not specified.
- Configurations: Affects the embedded web server.
## Vulnerability Description
The embedded web server on the Lynx+ Gateway lacks essential authentication protection for critical functions. This allows an unauthenticated remote attacker to reset the device without any user interaction.
## Exploitation
- Status: Not explicitly stated as exploited.
- Complexity: Low (Remote, unauthenticated access to reset function).
- Attack Vector: Network
## Impact
- Confidentiality: Medium
- Integrity: High (Device configuration change/reset)
- Availability: High (Device reset/denial of service)
## Remediation
### Patches
- [General Industrial Controls vendor advisories for CVE-2025-58083.]
### Workarounds
- **Mitigation:** Network segmentation to isolate the gateway from external/untrusted networks.
## Detection
- [Monitor network traffic to the management interface of the gateway for unauthenticated requests to device reset functions.]
## References
- [N/A cited]
---
# ICS Vulnerability: Rockwell Automation Verve Asset Manager Incorrect Authorization
## CVE Details
- CVE ID: CVE-2025-11862
- CVSS Score: Not explicitly provided.
- CWE: Incorrect Authorization
## Affected Systems
- Products: Rockwell Automation Verve Asset Manager
- Versions: Multiple versions.
- Configurations: Not specified.
## Vulnerability Description
An Incorrect Authorization vulnerability exists, which, if exploited, could allow an attacker to access or alter user data stored or managed by the Verve Asset Manager.
## Exploitation
- Status: Not explicitly stated as exploited.
- Complexity: Not specified.
- Attack Vector: Likely Local/Network depending on asset manager interface exposure.
## Impact
- Confidentiality: Medium/High (User data access)
- Integrity: Medium/High (User data alteration)
- Availability: Low/Medium
## Remediation
### Patches
- [Rockwell Automation security advisories for CVE-2025-11862.]
### Workarounds
- [N/A cited]
## Detection
- [Monitor audit logs for unauthorized user accounts attempting to access or modify asset management records.]
## References
- [N/A cited]
---
# ICS Vulnerability: METZ CONNECT EWIO2 Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-41733
- CVSS Score: Not explicitly provided.
- CWE: Authentication Bypass
## Affected Systems
- Products: METZ CONNECT EWIO2 (Industrial devices)
- Versions: Multiple versions.
- Configurations: Not specified.
## Vulnerability Description
An Authentication Bypass vulnerability affecting multiple versions allows an attacker to bypass device authentication controls remotely, potentially enabling remote control of the device or execution of remote code.
## Exploitation
- Status: Not explicitly stated as exploited.
- Complexity: Not specified.
- Attack Vector: Network (Remote Control/RCE implies network path).
## Impact
- Confidentiality: High
- Integrity: Critical (Remote control/RCE)
- Availability: Critical (Remote control/RCE)
## Remediation
### Patches
- [METZ CONNECT vendor advisories for CVE-2025-41733.]
### Workarounds
- **Mitigation:** Aggressive network segmentation to prevent external access to the device interface.
## Detection
- [Monitor network traffic for connection attempts to the EWIO2 management interface that do not succeed authentication, but may precede a successful bypass.]
## References
- [N/A cited]
---
**Overall Mitigation Summary:** Security teams should prioritize patching vulnerabilities added to the CISA KEV catalog (CVE-2025-62215, CVE-2025-64446, CVE-2025-58034). Special attention must be paid to vulnerabilities with public PoCs like CVE-2025-11001, and those actively discussed on the dark web. Risk-based vulnerability management, segmentation, and hardening of web-facing assets are strongly advised.