The Week in Vulnerabilities: SolarWinds, Ivanti, and Critical ICS Exposure

Cyble Research & Intelligence Labs (CRIL) tracked 1,158 vulnerabilities last week. Of these, 251 vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks. A total of 94 vulnerabilities were rated critical under CVSS v3.1, while 43 were rated critical under CVSS v4.0. In parallel, CISA issued 15 ICS advisories covering 87 vulnerabilities affecting industrial environments. These vulnerabilities impacted vendors including Siemens, Yokogawa, AVEVA, Hitachi Energy, ZLAN, ZOLL, and Airleader. Additionally, 8 vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reflecting confirmed exploitation in the wild. The Week’s Top Vulnerabilities CVE-2025-40554 — SolarWinds Web Help Desk (Critical) CVE-2025-40554 is a critical authentication bypass vulnerability affecting SolarWinds Web Help Desk versions prior to 2026.1. The flaw allows unauthenticated remote attackers to invoke privileged functionality without valid credentials, potentially leading to full compromise of helpdesk systems. Cyble observed this vulnerability being discussed on underground forums shortly after disclosure, and a public PoC is available. The vulnerability’s presence in enterprise environments increases the risk of initial access and lateral movement. CVE-2026-1340 — Ivanti Endpoint Manager Mobile (Critical) CVE-2026-1340 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM). A remote, unauthenticated attacker can exploit the flaw to achieve arbitrary remote code execution without user interaction. The vulnerability has been captured in dark web discussions and has a publicly available PoC , significantly lowering the barrier to exploitation. CVE-2026-21509 — Microsoft Office (High Severity, Actively Exploited) CVE-2026-21509 is a feature-bypass vulnerability in Microsoft Office that allows crafted documents to circumvent built-in security protections. Attackers can deliver malicious Office files that execute payloads once opened by the victim. The flaw has been actively exploited by threat actors including APT28 and RomCom , highlighting its operational impact. CVE-2026-1529 — Keycloak (High Impact) CVE-2026-1529 affects Red Hat’s Keycloak and involves improper validation of JWT invitation token signatures. Attackers can manipulate trusted token contents to gain unauthorized access to organizational resources. A PoC is available, and the vulnerability surfaced on underground forums shortly after disclosure. CVE-2026-23906 — Apache Druid (Critical) CVE-2026-23906 is a critical authentication bypass vulnerability in Apache Druid, enabling unauthorized access to sensitive data stores. CVE-2026-0488 — SAP CRM & SAP S/4HANA (Critical) CVE-2026-0488 is a critical code injection vulnerability affecting SAP CRM and SAP S/4HANA. An authenticated attacker can exploit improper function module calls to execute arbitrary SQL statements, potentially resulting in full database compromise. Vulnerabilities Added to CISA KEV CISA added 8 vulnerabilities to the KEV catalog during the reporting period. The most important of these were: CVE-2026-24423 — SmarterTools SmarterMail unauthenticated RCE CVE-2026-21510 — Microsoft Windows Shell protection mechanism bypass KEV additions reflect confirmed exploitation in the wild and often signal heightened ransomware or espionage activity. Critical ICS Vulnerabilities CISA issued 15 ICS advisories covering 87 vulnerabilities, with the majority rated high severity. CVE-2026-25084 & CVE-2026-24789 — ZLAN5143D (Critical) These critical vulnerabilities in ZLAN Information Technology Co.’s ZLAN5143D device involve missing authentication for critical functions. Successful exploitation could allow attackers to bypass authentication controls or reset device passwords, potentially enabling unauthorized configuration changes and interference with industrial communications. Researchers also identified internet-facing instances, increasing exposure risk. CVE-2025-52533 — Siemens SINEC OS (Critical) CVE-2025-52533 is a critical out-of-bounds write vulnerability in Siemens SINEC OS before version 3.3, potentially enabling memory corruption and system compromise in industrial network environments. CVE-2026-1358 — Airleader Master (Critical) CVE-2026-1358 is a critical, unrestricted file-upload vulnerability in Airleader Master systems. Successful exploitation could allow attackers to upload malicious files, potentially resulting in remote code execution in OT environments. Impacted Critical Infrastructure Sectors Analysis of the ICS advisories shows that Critical Manufacturing and Energy sectors appear in 98.9% of reported vulnerabilities, showcasing concentrated exposure in these environments. The cross-sector nature of these vulnerabilities underscores the interdependencies between Energy, Manufacturing, Transportation, Water, and Food systems. Conclusion The convergence of high-volume IT vulnerabilities and significant ICS exposure highlights the continued expansion of the attack surface across enterprise and industrial environments. With over 250 PoCs publicly available and multiple KEV additions confirming active exploitation, organizations must prioritize rapid remediation and risk-based vulnerability management. Security best practices include: Prioritizing vulnerabilities based on risk and exploit availability Protecting web-facing and internet-exposed assets Implementing strict IT/OT network segmentation Deploying multi-factor authentication and strong access controls Conducting regular vulnerability assessments and penetration testing Monitoring underground forums and KEV updates for early warning signals Establishing ransomware-resistant backup strategies Maintaining OT-specific incident response procedures Cyble’s comprehensive attack surface management solutions help organizations continuously monitor internal and external assets, prioritize remediation, and detect early warning signals of exploitation. Additionally, Cyble’s threat intelligence and third-party risk intelligence capabilities provide visibility into vulnerabilities actively discussed in underground communities, enabling proactive defense against both IT and ICS threats. The post The Week in Vulnerabilities: SolarWinds, Ivanti, and Critical ICS Exposure appeared first on Cyble.