Full Report
Cyble Vulnerability Intelligence researchers tracked 1,782 vulnerabilities in the last week, the third straight week that new vulnerabilities have been growing at twice their long-term rate. Over 282 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. A total of 207 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 51 received a critical severity rating based on the newer CVSS v4.0 scoring system. Here are some of the top IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. The Week’s Top IT Vulnerabilities CVE-2025-66516 is a maximum severity XML External Entity (XXE) injection vulnerability in Apache Tika's core, PDF and parsers modules. Attackers could embed malicious XFA files in PDFs to trigger XXE, potentially allowing for the disclosure of sensitive files, SSRF, or DoS without authentication. CVE-2025-15047 is a critical stack-based buffer overflow vulnerability in Tenda WH450 router firmware version V1.0.0.18. Attackers could potentially initiate it remotely over the network with low complexity, and a public exploit exists, increasing the risk of widespread abuse. Among the vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were: CVE-2025-14733, an out-of-bounds write vulnerability in WatchGuard Fireware OS that could enable remote unauthenticated attackers to execute arbitrary code. CVE-2025-40602, a local privilege escalation vulnerability due to insufficient authorization in the Appliance Management Console (AMC) of SonicWall SMA 1000 appliances. CVE-2025-20393, a critical remote code execution (RCE) vulnerability in Cisco AsyncOS Software affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. The flaw has reportedly been actively exploited since late November by a China-linked APT group, which has deployed backdoors such as AquaShell, tunneling tools, and log cleaners to achieve persistence and remote access. CVE-2025-14847, a high-severity MongoDB vulnerability that’s been dubbed “MongoBleed” and reported to be under active exploitation. The Improper Handling of Length Parameter Inconsistency vulnerability could potentially allow uninitialized heap memory to be read by an unauthenticated client, potentially exposing data, credentials and session tokens. Vulnerabilities Under Discussion on the Dark Web Cyble dark web researchers observed a number of threat actors sharing exploits and discussing weaponizing vulnerabilities on underground and cybercrime forums. Among the vulnerabilities under discussion were: CVE-2025-56157, a critical default credentials vulnerability affecting Dify versions through 1.5.1, where PostgreSQL credentials are stored in plaintext within the docker-compose.yaml file. Attackers who access deployment files or source code repositories could extract these default credentials, potentially gaining unauthorized access to databases. Successful exploitation could enable remote code execution, privilege escalation, and complete data compromise. CVE-2025-37164, a critical code injection vulnerability in HPE OneView. The unauthenticated remote code execution flaw affects HPE OneView versions 10.20 and prior due to improper control of code generation. The vulnerability exists in the /rest/id-pools/executeCommand REST API endpoint, which is accessible without authentication, potentially allowing remote attackers to execute arbitrary code and gain centralized control over the enterprise infrastructure. CVE-2025-14558, a critical severity remote code execution vulnerability in FreeBSD's rtsol(8) and rtsold(8) programs that is still awaiting NVD and CVE publication. The flaw occurs because these programs fail to validate domain search list options in IPv6 router advertisement messages, potentially allowing shell commands to be executed due to improper input validation in resolvconf(8). Attackers on the same network segment could potentially exploit this vulnerability for remote code execution; however, the attack does not cross network boundaries, as router advertisement messages are not routable. CVE-2025-38352, a high-severity race condition vulnerability in the Linux kernel. This Time-of-Check Time-of-Use (TOCTOU) race condition in the posix-cpu-timers subsystem could allow local attackers to escalate privileges. The flaw occurs when concurrent timer deletion and task reaping operations create a race condition that fails to detect timer firing states. ICS Vulnerabilities Cyble threat researchers also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: CVE-2025-30023, a critical Deserialization of Untrusted Data vulnerability in Axis Communications Camera Station Pro, Camera Station, and Device Manager. Successful exploitation could allow an attacker to execute arbitrary code, conduct a man-in-the-middle-style attack, or bypass authentication. Schneider Electric EcoStruxure Foxboro DCS Advisor is affected by CVE-2025-59827, a Deserialization of Untrusted Data vulnerability in Microsoft Windows Server Update Service (WSUS). Successful exploitation could allow for remote code execution, potentially resulting in unauthorized parties acquiring system-level privileges. Conclusion The persistently high number of new vulnerabilities observed in recent weeks is a worrisome new trend as we head into 2026. More than ever, security teams must respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. The post The Week in Vulnerabilities: The Year Ends with an Alarming New Trend appeared first on Cyble.
Analysis Summary
This summary focuses on the high-priority vulnerabilities detailed in the provided intelligence report.
***
# Vulnerability: Apache Tika XXE Injection
## CVE Details
- CVE ID: CVE-2025-66516
- CVSS Score: Not explicitly provided (Rated "maximum severity")
- CWE: XML External Entity (XXE) Injection
## Affected Systems
- Products: Apache Tika (core, PDF, and parsers modules)
- Versions: Not specified
- Configurations: Triggered by embedding malicious XFA files in PDFs.
## Vulnerability Description
This is an XML External Entity (XXE) injection vulnerability. Attackers can embed malicious XFA files within PDF documents. When processed by the vulnerable modules, this allows an unauthenticated attacker to trigger XXE, leading to disclosure of sensitive files, Server-Side Request Forgery (SSRF), or Denial of Service (DoS).
## Exploitation
- Status: Publicly disclosed, exploit potential high (due to XXE nature).
- Complexity: Low (implied by lack of required authentication).
- Attack Vector: Remotely via specially crafted PDF files.
## Impact
- Confidentiality: Disclosure of sensitive files.
- Integrity: Potential for SSRF attacks.
- Availability: Potential for DoS.
## Remediation
### Patches
- Vendor patch information is not provided in the summary. Users should consult Apache Tika advisories.
### Workarounds
- Implement strict input validation and disabling of external entity processing in XML/PDF parsers if possible, though the report focuses on patching.
## Detection
- Monitoring for unexpected outbound connections originating from PDF/parser processes (SSRF indicators).
- File integrity monitoring on PDF ingestion paths.
## References
- N/A (No direct link provided in the summary excerpts)
***
# Vulnerability: Tenda WH450 Router Firmware Buffer Overflow
## CVE Details
- CVE ID: CVE-2025-15047
- CVSS Score: Critical (Implied)
- CWE: Stack-based Buffer Overflow
## Affected Systems
- Products: Tenda WH450 Router Firmware
- Versions: V1.0.0.18
- Configurations: N/A
## Vulnerability Description
A critical stack-based buffer overflow vulnerability exists in the specified Tenda router firmware. This flaw can be triggered remotely over the network.
## Exploitation
- Status: Public exploit exists, increasing risk of widespread abuse.
- Complexity: Low (Remote, low complexity initiation).
- Attack Vector: Network (Remote).
## Impact
- High impact risk, likely leading to Remote Code Execution (RCE) due to buffer overflow mechanics.
## Remediation
### Patches
- Vendor patch information is not provided. Users must check Tenda official advisories for firmware updates addressing this specific version.
### Workarounds
- Network segmentation to restrict remote access to the router management interface.
## Detection
- Increased network traffic anomalies directed at the router management interface.
## References
- N/A
***
# Vulnerability: WatchGuard Fireware OS Out-of-Bounds Write (CISA KEV)
## CVE Details
- CVE ID: CVE-2025-14733
- CVSS Score: Not explicitly provided (Added to KEV catalog suggests high risk)
- CWE: Out-of-Bounds Write
## Affected Systems
- Products: WatchGuard Fireware OS
- Versions: Not specified
- Configurations: N/A
## Vulnerability Description
An out-of-bounds write vulnerability that can be exploited by remote, unauthenticated attackers to achieve arbitrary code execution.
## Exploitation
- Status: Added to CISA KEV Catalog (Actively exploited or high confidence of imminent exploitation).
- Complexity: Low (Remote, Unauthenticated).
- Attack Vector: Network (Remote).
## Impact
- Complete system compromise via Remote Code Execution (RCE).
## Remediation
### Patches
- Apply relevant security updates provided by WatchGuard.
### Workarounds
- Limit external access to WatchGuard management interfaces if possible.
## Detection
- Monitoring for successful exploitation indicators against WatchGuard firewalls.
## References
- CISA KEV Catalog entry for CVE-2025-14733.
***
# Vulnerability: SonicWall SMA 1000 Local Privilege Escalation (CISA KEV)
## CVE Details
- CVE ID: CVE-2025-40602
- CVSS Score: Not explicitly provided (Added to KEV catalog suggests high risk)
- CWE: Insufficient Authorization
## Affected Systems
- Products: SonicWall SMA 1000 appliances
- Versions: Not specified
- Configurations: Relates to the Appliance Management Console (AMC).
## Vulnerability Description
A local privilege escalation vulnerability stemming from insufficient authorization controls within the Appliance Management Console (AMC).
## Exploitation
- Status: Added to CISA KEV Catalog (Actively exploited or high confidence of imminent exploitation).
- Complexity: Local access likely required initially before escalation.
- Attack Vector: Local (or previously gained low-privilege remote access).
## Impact
- Privilege escalation from a lower-privileged account to a higher one.
## Remediation
### Patches
- Apply relevant security updates provided by SonicWall.
### Workarounds
- Review and enforce least privilege access controls for the AMC.
## Detection
- Monitoring for unexpected privilege changes or administrative actions originating from the AMC.
## References
- CISA KEV Catalog entry for CVE-2025-40602.
***
# Vulnerability: Cisco AsyncOS RCE (CISA KEV, Active APT Exploitation)
## CVE Details
- CVE ID: CVE-2025-20393
- CVSS Score: Critical (Explicitly stated)
- CWE: Remote Code Execution (RCE)
## Affected Systems
- Products: Cisco AsyncOS Software (Secure Email Gateway, Secure Email and Web Manager appliances)
- Versions: Not specified
## Vulnerability Description
A critical Remote Code Execution (RCE) vulnerability in Cisco AsyncOS Software.
## Exploitation
- Status: **Actively exploited since late November by a China-linked APT group.** Backdoors (AquaShell) deployed for persistence and remote access. Added to CISA KEV.
- Complexity: Low to Medium (Remote).
- Attack Vector: Network (Remote).
## Impact
- Complete system compromise, persistent backdoor installation, data theft, remote control.
## Remediation
### Patches
- Urgent application of Cisco security updates for AsyncOS.
### Workarounds
- Network segmentation to isolate these email/web management appliances.
## Detection
- Endpoint/Network monitoring for signs of AquaShell, tunneling tools, or unusual log cleaning activity on email gateways.
## References
- CISA KEV Catalog entry for CVE-2025-20393.
***
# Vulnerability: MongoDB "MongoBleed" Uninitialized Memory Read (CISA KEV)
## CVE Details
- CVE ID: CVE-2025-14847
- CVSS Score: High Severity
- CWE: Improper Handling of Length Parameter Inconsistency
## Affected Systems
- Products: MongoDB
- Versions: Not specified
- Configurations: Affects unauthenticated clients accessing the service.
## Vulnerability Description
Dubbed "MongoBleed," this vulnerability allows an unauthenticated client to read from uninitialized heap memory.
## Exploitation
- Status: Reported to be under **active exploitation.** Added to CISA KEV.
- Complexity: Low (Unauthenticated access).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality exposure, potentially leaking data, credentials, and session tokens.
## Remediation
### Patches
- Apply the necessary MongoDB security update that addresses this memory handling flaw.
### Workarounds
- Strictly limit external network access to MongoDB instances.
## Detection
- Monitoring database logs for unusually high read operations from unverified or external sources.
## References
- CISA KEV Catalog entry for CVE-2025-14847.
***
# Vulnerability: Dify Default Credentials Disclosure
## CVE Details
- CVE ID: CVE-2025-56157
- CVSS Score: Critical (Implied)
- CWE: Hardcoded Credentials (Default Credentials)
## Affected Systems
- Products: Dify
- Versions: Through 1.5.1
- Configurations: Deployment relying on default `docker-compose.yaml` files.
## Vulnerability Description
PostgreSQL credentials are hardcoded in plaintext within the `docker-compose.yaml` deployment file. Threat actors accessing deployment artifacts can extract these credentials.
## Exploitation
- Status: Under discussion on the Dark Web for weaponization. **PoC likely exists/easy to create.**
- Complexity: Low (Requires access to deployment files, but exploitation of the resulting database access is straightforward).
- Attack Vector: Remote (after credential theft).
## Impact
- Remote Code Execution, Privilege Escalation, complete data compromise of the associated database.
## Remediation
### Patches
- Upgrade Dify to version 1.5.2 or later, or manually update configuration files.
### Workarounds
- **Immediate Action:** Manually overwrite all default PostgreSQL credentials in the deployment configuration files for all instances.
## Detection
- Scanning source code repositories or file systems for plaintext database credentials.
## References
- N/A
***
# Vulnerability: HPE OneView Unauthenticated Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-37164
- CVSS Score: Critical (Implied due to RCE capability)
- CWE: Improper Control of Code Generation (Code Injection)
## Affected Systems
- Products: HPE OneView
- Versions: 10.20 and prior
- Configurations: Exposed `/rest/id-pools/executeCommand` REST API endpoint.
## Vulnerability Description
An unauthenticated RCE flaw in the REST API endpoint `/rest/id-pools/executeCommand` due to improper control over code generation. This allows remote attackers to execute arbitrary code.
## Exploitation
- Status: Under discussion on the Dark Web for weaponization. **PoC likely exists/easy to create.**
- Complexity: Low (Unauthenticated, Remote).
- Attack Vector: Network (Remote).
## Impact
- Remote Code Execution, granting centralized control over the enterprise infrastructure managed by OneView.
## Remediation
### Patches
- Apply security updates from HPE for OneView version 10.20 and prior.
### Workarounds
- Block external/untrusted access to the `/rest/id-pools/executeCommand` endpoint via WAF or network controls if immediate patching is not possible.
## Detection
- Monitoring requests to the specified REST API endpoint for non-standard command structures.
## References
- N/A
***
# Vulnerability: FreeBSD rtsol(8)/rtsold(8) RCE (Awaiting Publication)
## CVE Details
- CVE ID: CVE-2025-14558
- CVSS Score: Critical Severity (Reported)
- CWE: Improper Input Validation
## Affected Systems
- Products: FreeBSD `rtsol(8)` and `rtsold(8)` programs
- Versions: Awaiting NVD/CVE publication.
- Configurations: Exploitable via IPv6 router advertisement messages.
## Vulnerability Description
The programs fail to validate domain search list options within IPv6 router advertisement messages. Improper input validation in the accompanying `resolvconf(8)` allows for shell command execution.
## Exploitation
- Status: Awaiting NVD/CVE publication.
- Complexity: Medium (Requires being on the same network segment).
- Attack Vector: Adjacent Network (Exploits L2/L3 IPv6 broadcasts/multicasts, does not cross routed boundaries).
## Impact
- Remote Code Execution on the affected host.
## Remediation
### Patches
- Monitor FreeBSD security advisories for patches related to `rtsol`, `rtsold`, and `resolvconf`.
### Workarounds
- Disable or restrict IPv6 Router Advertisements if feasible, or deploy mitigations at the router layer.
## Detection
- Deep packet inspection (DPI) for malformed IPv6 Router Advertisement messages targeting the domain search list options.
## References
- N/A
***
# Vulnerability: Linux Kernel TOCTOU Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-38352
- CVSS Score: High Severity
- CWE: Race Condition (Time-of-Check Time-of-Use - TOCTOU)
## Affected Systems
- Products: Linux Kernel
- Versions: Affects the `posix-cpu-timers` subsystem.
- Configurations: Requires local user access to exploit.
## Vulnerability Description
A TOCTOU race condition occurs in the `posix-cpu-timers` subsystem during concurrent timer deletion and task reaping operations. The flaw is that the race condition fails to correctly detect timer firing states.
## Exploitation
- Status: Publicly disclosed.
- Complexity: High (Requires precise timing for race condition exploitation).
- Attack Vector: Local.
## Impact
- Local Privilege Escalation (LPE).
## Remediation
### Patches
- Apply the relevant Linux kernel update that addresses the TOCTOU condition in the `posix-cpu-timers` subsystem.
### Workarounds
- Restrict the user base capable of running specialized timing operations, though kernel patching is the primary fix.
## Detection
- Monitoring kernel logs for unusual or failed timer deletion sequences.
## References
- N/A
***
# ICS Vulnerability: Axis Communications Deserialization Flaw
## CVE Details
- CVE ID: CVE-2025-30023
- CVSS Score: Critical (Implied)
- CWE: Deserialization of Untrusted Data
## Affected Systems
- Products: Axis Communications Camera Station Pro, Camera Station, and Device Manager
- Versions: Not specified
## Vulnerability Description
A Deserialization of Untrusted Data vulnerability that can be triggered by processing malicious input.
## Exploitation
- Status: High priority flag by Cyble.
- Complexity: Not specified.
- Attack Vector: Likely Network/Remote, depending on the service being called.
## Impact
- Arbitrary code execution, Man-in-the-Middle (MITM) attacks, or Authentication Bypass.
## Remediation
### Patches
- Apply security updates from Axis Communications for the affected products.
### Workarounds
- Network segmentation to isolate ICS devices from general corporate networks.
## Detection
- Intrusion Detection Systems (IDS) focused on recognizing abnormal payloads targeting Axis management interfaces.
## References
- N/A
***
# ICS Vulnerability: Schneider Electric Foxboro DCS WSUS RCE
## CVE Details
- CVE ID: CVE-2025-59827
- CVSS Score: Critical (Implied)
- CWE: Deserialization of Untrusted Data
## Affected Systems
- Products: Schneider Electric EcoStruxure Foxboro DCS Advisor
- Configurations: Affected due to reliance on potentially compromised Microsoft Windows Server Update Service (WSUS) installations.
## Vulnerability Description
A Deserialization of Untrusted Data vulnerability within the WSUS components used by the Foxboro DCS Advisor software.
## Exploitation
- Status: High priority flag by Cyble.
- Complexity: Not specified, but RCE implies high impact.
- Attack Vector: Network (via WSUS components).
## Impact
- Remote Code Execution resulting in unauthorized parties acquiring system-level privileges on the host server.
## Remediation
### Patches
- Apply vendor-specific patches from Schneider Electric for the Foxboro DCS Advisor, alongside any applicable Microsoft security updates for WSUS.
### Workarounds
- Isolate the Foxboro DCS Advisor server from unauthorized network access.
## Detection
- Monitoring system security logs on the host running Foxboro components for post-exploitation activity following unauthorized WSUS interaction.
## References
- N/A