Full Report
Cyble Vulnerability Intelligence researchers tracked 1,031 vulnerabilities in the last week, and nearly 200 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. A total of 72 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 33 received a critical severity rating based on the newer CVSS v4.0 scoring system. Below are some of the vulnerabilities flagged by Cyble threat intelligence researchers for prioritization by security teams in recent reports to clients. The Week’s Top IT Vulnerabilities CVE-2026-21969 is a 9.8-severity vulnerability in Oracle Agile Product Lifecycle Management for Process, specifically in the Supplier Portal component of Oracle Supply Chain. The flaw could enable unauthenticated remote attackers to achieve full system takeover via HTTP without needing credentials or user interaction. CVE-2026-22797 is a 9.9-rated authentication bypass vulnerability in the OpenStack keystonemiddleware's external_oauth2_token component. An authenticated attacker could escalate privileges or impersonate other users by sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id. CVE-2026-0501 is a 9.9-severity SQL injection vulnerability in SAP S/4HANA Private Cloud and On-Premise, specifically the Financials General Ledger module, that could allow an authenticated attacker with low privileges to craft SQL queries, potentially enabling them to read sensitive financial data, modify records, or delete backend database content. CVE-2026-22584 is an 8.5-rated code injection vulnerability in Salesforce's Uni2TS library, affecting MacOS, Windows, and Linux systems, that could allow attackers to leverage executable code in non-executable files. CVE-2025-69258 is a 9.8-rated unauthenticated remote code execution (RCE) vulnerability in Trend Micro Apex Central. The flaw could allow an unauthenticated, remote attacker to load an attacker-controlled DLL into a key executable, resulting in the execution of attacker-supplied code under the SYSTEM context on affected installations. Among the vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were CVE-2024-37079, a 9.8-severity Broadcom VMware vCenter Server out-of-bounds write vulnerability, CVE-2026-21509, a 7.8-rated Microsoft Office Security Feature Bypass vulnerability, CVE-2026-24858, a 9.8-severity Fortinet Authentication Bypass vulnerability, and CVE-2025-34026, a 9.2-rated Versa Concerto improper authentication vulnerability in the Traefik reverse proxy configuration that could potentially allow an attacker to access administrative endpoints. Notable vulnerabilities discussed in open-source communities included CVE-2025-64155, a critical OS command injection vulnerability in Fortinet FortiSIEM, affecting Super and Worker nodes. An unauthenticated remote attacker could exploit the phMonitor service via crafted requests to execute arbitrary commands, potentially enabling full system compromise, including root access through file overwrites and privilege escalation. Cyble has also observed the vulnerability discussed by threat actors on dark web cybercrime forums. Another vulnerability getting attention in open-source communities is CVE-2025-12420, dubbed ‘BodySnatcher’, a critical privilege escalation vulnerability in ServiceNow's AI Platform, specifically involving the Virtual Agent API and Now Assist AI Agents. It could allow unauthenticated remote attackers to impersonate any ServiceNow user, including administrators, by leveraging a hardcoded authentication secret and email-based identity linking, leading to arbitrary actions, such as creating backdoor admin accounts. Vulnerabilities Under Discussion on the Dark Web In addition to CVE-2025-64155, Cyble dark web researchers observed threat actors discussing several other vulnerabilities on dark web and cybercrime forums. They include: CVE-2026-23745, a high-severity directory traversal vulnerability in the node-tar library (versions ≤ 7.5.2) for Node.js. The vulnerability stems from improper sanitization of the linkpath in hardlink and symbolic link entries when preservePaths is set to false, which is the default secure behavior. An attacker could exploit this flaw by crafting malicious tar archives to bypass extraction root restrictions, achieving arbitrary file overwrite via hardlinks and symlink poisoning attacks. In CI/CD environments or automated pipelines, successful exploitation could result in remote code execution by overwriting configuration files, scripts, or binaries, though npm remains unaffected because it filters out Link and SymbolicLink tar entries. CVE-2026-22812, a high-severity vulnerability in OpenCode, an open-source AI coding agent, affecting versions prior to 1.0.216. The flaw involves multiple weaknesses, including missing authentication for critical functions, exposed dangerous methods, and permissive cross-domain security policies. OpenCode automatically starts an unauthenticated HTTP server that allows any local process or any website via permissive CORS to execute arbitrary shell commands with the user's privileges. After successful exploitation requiring user interaction, such as visiting a malicious website, attackers could gain complete compromise of confidentiality, integrity, and availability, with high impact across all three security dimensions. A threat actor shared a high-severity exploit chain targeting Apple’s WebKit engine on iOS versions before iOS 26. The chain links CVE-2025-43529, a use-after-free flaw, with CVE-2025-14174, a memory corruption issue in the ANGLE Metal renderer. By delivering malicious web content, attackers first achieve code execution within the browser sandbox and then leverage the memory corruption to bypass platform security. Upon successful exploitation via a malicious webpage, attackers can install sophisticated spyware to monitor location, intercept messages, and access the device’s camera and microphone. Conclusion The number of vulnerabilities affecting high-profile enterprise environments highlights the constant pressure facing security teams, who must respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. The post The Week in Vulnerabilities: Cyble Urges Oracle, OpenStack Fixes appeared first on Cyble.
Analysis Summary
# Vulnerability Summary Report: Key Vulnerabilities from Cyble Intelligence Tracking Period
Based on the Cyble intelligence report, security teams should prioritize vulnerabilities with known PoCs, as nearly 200 tracked vulnerabilities have public exploit code, indicating a high risk of active exploitation.
---
## Priority Vulnerability Assessments
### Vulnerability: Oracle Agile PLM Unauthenticated RCE/Takeover
## CVE Details
- CVE ID: CVE-2026-21969
- CVSS Score: 9.8 (Critical)
- CWE: Not specified (Likely related to Authentication Bypass/Remote Code Execution)
## Affected Systems
- Products: Oracle Agile Product Lifecycle Management for Process
- Versions: Not specified.
- Configurations: Supplier Portal component of Oracle Supply Chain.
## Vulnerability Description
This flaw allows unauthenticated remote attackers to achieve full system takeover via HTTP interactions. No credentials or user interaction are required.
## Exploitation
- Status: PoC available (Implied by context of high-priority list and high PoC availability generally).
- Complexity: Low (Implied by unauthenticated and no user interaction requirement)
- Attack Vector: Network
## Impact
- Confidentiality: High (Full system takeover)
- Integrity: High (Full system takeover)
- Availability: High (Full system takeover)
## Remediation
### Patches
- Vendor advisories for Oracle Agile PLM should be strictly followed. (Specific patch information not provided in the source.)
### Workarounds
- Immediate network segmentation or restriction of HTTP access to the Supplier Portal component should be considered until patching occurs.
## Detection
- Monitor for unusual HTTP requests targeting the Supplier Portal component lacking standard authentication headers or session tokens.
## References
- Vendor Advisory: Consult Oracle Support for the specific version patch cycle.
---
### Vulnerability: OpenStack Keystone Authentication Bypass/Privilege Escalation
## CVE Details
- CVE ID: CVE-2026-22797
- CVSS Score: 9.9 (Critical)
- CWE: Authentication Bypass (Injection/Improper Authorization)
## Affected Systems
- Products: OpenStack
- Versions: Not specified.
- Configurations: `keystonemiddleware`'s `external_oauth2_token` component.
## Vulnerability Description
An authenticated attacker can leverage this vulnerability to escalate privileges or impersonate other users by sending forged identity headers, such as `X-Is-Admin-Project`, `X-Roles`, or `X-User-Id`.
## Exploitation
- Status: PoC available (Implied by context of high-priority list).
- Complexity: Medium (Requires prior authentication).
- Attack Vector: Network
## Impact
- Confidentiality: High (Privilege Escalation)
- Integrity: High (Impersonation, unauthorized actions)
- Availability: Medium
## Remediation
### Patches
- Apply OpenStack security updates addressing the `external_oauth2_token` component.
### Workarounds
- Implement stricter ingress filtering or Web Application Firewall (WAF) rules to inspect and potentially block forged or unexpected identity headers from untrusted sources interacting with the Keystone middleware.
## Detection
- Monitor authentication and authorization logs for attempts to set or modify user role/ID headers during session initialization.
## References
- Vendor Advisory: Consult OpenStack security bulletins for the relevant Keystone release.
---
### Vulnerability: SAP Financials SQL Injection
## CVE Details
- CVE ID: CVE-2026-0501
- CVSS Score: 9.9 (Critical)
- CWE: SQL Injection (CWE-89)
## Affected Systems
- Products: SAP S/4HANA (Private Cloud and On-Premise)
- Versions: Not specified.
- Configurations: Financials General Ledger module.
## Vulnerability Description
A SQL injection vulnerability allowing an authenticated attacker with even low privileges to craft malicious SQL queries. This can lead to reading sensitive financial data, modifying records, or deleting backend database content.
## Exploitation
- Status: PoC available (Implied by context of high-priority list).
- Complexity: Medium (Requires prior authentication).
- Attack Vector: Network/Application Interface
## Impact
- Confidentiality: High (Sensitive data exposure)
- Integrity: High (Data modification/deletion)
- Availability: High (Database compromise)
## Remediation
### Patches
- Apply the SAP security notes corresponding to CVE-2026-0501.
### Workarounds
- Restrict the application user account tied to the General Ledger module to the absolute minimum required database privileges (Principle of Least Privilege).
- Implement input validation and parameterized queries for all database communications within the module.
## Detection
- Monitor database transaction logs for unusual or complex SQL query patterns originating from the S/4HANA application service account.
## References
- Vendor Advisory: Consult SAP Security Notes for S/4HANA fixes.
---
### Vulnerability: Trend Micro Apex Central Unauthenticated RCE
## CVE Details
- CVE ID: CVE-2025-69258
- CVSS Score: 9.8 (Critical)
- CWE: Remote Code Execution (RCE)
## Affected Systems
- Products: Trend Micro Apex Central
- Versions: Not specified.
- Configurations: Applicable to deployed installations.
## Vulnerability Description
Allows an unauthenticated, remote attacker to load an attacker-controlled Dynamic Link Library (DLL) into a key executable process, leading to the execution of arbitrary attacker code under the high-privilege **SYSTEM context**.
## Exploitation
- Status: PoC available (Implied by context of high-priority list).
- Complexity: Low (Unauthenticated, remote).
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Apply the relevant security update released by Trend Micro for Apex Central targeting CVE-2025-69258.
### Workarounds
- Restrict network access to the Trend Micro Apex Central management interface to only trusted internal networks or administrative jump boxes.
## Detection
- Monitor host processes for unauthorized DLL loading into core Trend Micro executables. Check for creation of processes under the SYSTEM context originating from network connections handled by the Apex Central service.
## References
- Vendor Advisory: Consult Trend Micro security bulletins.
---
### Vulnerability: ServiceNow AI Platform Privilege Escalation ('BodySnatcher')
## CVE Details
- CVE ID: CVE-2025-12420
- CVSS Score: Critical (Severity specified, exact score not given, but high priority).
- CWE: Hardcoded Credentials/Improper Authentication
## Affected Systems
- Products: ServiceNow AI Platform (Virtual Agent API, Now Assist AI Agents)
- Versions: Not specified.
## Vulnerability Description
Dubbed 'BodySnatcher', this flaw utilizes a hardcoded authentication secret within the Virtual Agent API logic, allowing unauthenticated remote attackers to impersonate *any* ServiceNow user, including administrators, by linking via email identity. This can lead to creating backdoor admin accounts.
## Exploitation
- Status: Discussed in open-source communities (High interest).
- Complexity: Low (Leverages hardcoded secret).
- Attack Vector: Network/API
## Impact
- Confidentiality: Very High (Full system access)
- Integrity: Very High (Full system control, backdoor creation)
- Availability: High
## Remediation
### Patches
- Immediately apply ServiceNow patches addressing the Virtual Agent API and AI Agent security controls for CVE-2025-12420.
### Workarounds
- If patching is delayed, audit and monitor for unexpected API calls using service accounts or through the Virtual Agent interface. Review for newly created administrative user accounts.
## Detection
- Monitor API gateway logs for high volumes of unauthenticated requests to the Virtual Agent API. Audit user provisioning logs for sudden creation of high-privilege accounts.
## References
- Vendor Advisory: ServiceNow Security Portal.
---
## Additional Noteworthy Vulnerabilities (CISA KEV & Open Source)
| CVE ID | Score | Severity | Product/Component | Exploitation Detail |
| :--- | :--- | :--- | :--- | :--- |
| **CVE-2024-37079** | 9.8 | High | Broadcom VMware vCenter Server | Added to CISA KEV slot; Out-of-bounds write. |
| **CVE-2026-21509** | 7.8 | Medium | Microsoft Office | Added to CISA KEV slot; Security Feature Bypass. |
| **CVE-2026-24858** | 9.8 | High | Fortinet | Added to CISA KEV slot; Authentication Bypass. |
| **CVE-2025-34026** | 9.2 | High | Versa Concerto / Traefik | Added to CISA KEV slot; Improper authentication via Traefik configuration, potentially accessing admin endpoints. |
| **CVE-2025-64155** | Critical | High | Fortinet FortiSIEM (Super/Worker Nodes) | Discussed on Dark Web. Unauthenticated OS Command Injection via `phMonitor` service, leading to system compromise/root. |
| **CVE-2026-23745** | High | High | Node.js `node-tar` library (≤ 7.5.2) | Directory Traversal via malicious tar archives (hardlinks/symlinks). Critical in CI/CD environments (RCE risk by overwriting config/binaries). npm is unaffected due to filtering. |
| **CVE-2026-22812** | High | High | OpenCode (AI coding agent) (pre 1.0.216) | Unauthenticated HTTP server exposed locally/permissive CORS. Allows arbitrary shell command execution on user interaction (e.g., visiting a malicious site). |
| **CVE-2025-43529** & **CVE-2025-14174** | N/A | Critical | Apple WebKit (iOS < 26) / ANGLE Metal | Exploit Chain. UAF in WebKit linked with memory corruption in ANGLE to bypass sandbox, enabling spyware installation. |
---
## General Mitigation & Strategy
1. **Prioritization:** A Risk-Based Vulnerability Management program must prioritize vulnerabilities with documented PoCs (nearly 200 identified) and those actively discussed on the Dark Web (e.g., CVE-2025-64155).
2. **Defense in Depth:** Implement fundamental security hygiene: network segmentation for critical assets, strict adherence to Zero-Trust access, ransomware-resistant backups, and configuration hardening across endpoints and infrastructure.
3. **Monitoring:** Ensure comprehensive network, endpoint, and cloud monitoring is in place to detect anomalies, unauthorized file operations (like DLL loading or symlink poisoning), and unusual administrative behavior.
4. **Incident Response:** Maintain and regularly rehearse incident response plans.