Full Report
Cyble Research & Intelligence Labs (CRIL) tracked 1,102 vulnerabilities last week. Of these, 166 vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks. A total of 49 vulnerabilities were rated critical under CVSS v3.1, while 32 received critical severity under CVSS v4.0. Additionally, CISA added 9 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed active exploitation. On the industrial front, CISA issued 8 ICS advisories covering 18 vulnerabilities impacting Siemens, Honeywell, Delta Electronics, GE Vernova, PUSR, EnOcean, Valmet, and Welker products. Cyble Weekly Vulnerability Report: New Flaws and CVEs CVE-2026-1357 — WPvivid Backup & Migration Plugin (Critical) CVE-2026-1357 is a critical unauthenticated arbitrary file upload and remote code execution vulnerability affecting the WPvivid Backup & Migration plugin for WordPress. The flaw stems from improper handling of RSA decryption errors combined with unsanitized filename inputs, allowing attackers to upload malicious PHP shells to publicly accessible directories A public PoC is available, and the vulnerability surfaced in underground discussions shortly after disclosure, significantly lowering the barrier to exploitation. CVE-2026-1731 — BeyondTrust Remote Support & PRA (Critical) CVE-2026-1731 is a critical OS command injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The flaw exists within a WebSocket-based endpoint, allowing unauthenticated attackers to execute arbitrary commands on internet-facing instances. Successful exploitation enables full system compromise, data exfiltration, lateral movement, and persistent access. A PoC is publicly available. CVE-2025-49132 — Pterodactyl Panel (Critical) CVE-2025-49132 affects the Pterodactyl Panel game-server management platform and allows unauthenticated remote code execution through improper validation of user-controlled parameters. Threat actors were observed sharing weaponized exploits on underground forums, highlighting the vulnerability’s operational risk. CVE-2026-25639 — Axios HTTP Client (High Severity) CVE-2026-25639 is a denial-of-service vulnerability in the Axios HTTP client, where crafted JSON payloads exploiting improper configuration merging can crash Node.js or browser applications. The vulnerability was captured in underground forums shortly after disclosure and has a public PoC. CVE-2026-20841 — Windows Notepad (High Severity) CVE-2026-20841 is a command injection vulnerability in the Windows Notepad app, enabling execution of malicious payloads via specially crafted files. Exploitation could enable privilege escalation and malware deployment. Vulnerabilities Added to CISA KEV CISA added 9 vulnerabilities to the KEV catalog during the reporting period. Notable additions include: CVE-2026-2441 — Google Chrome use-after-free vulnerability enabling potential arbitrary code execution via crafted HTML. CVE-2025-15556 — Notepad++ update integrity verification vulnerability reportedly exploited by the China-linked threat actor Lotus Blossom. KEV additions serve as strong indicators of exploitation maturity and heightened ransomware or espionage risk. Critical ICS Vulnerabilities During the reporting period, CISA issued 8 ICS advisories covering 18 vulnerabilities. The majority were rated high severity. CVE-2026-1670 — Honeywell CCTV Products (Critical) CVE-2026-1670 affects Honeywell CCTV products and carries a CVSS score of 9.8. The vulnerability allows an unauthenticated attacker to remotely alter the password recovery email address, effectively hijacking administrator accounts. Successful exploitation enables: Full administrative account takeover Unauthorized access to live surveillance feeds Potential lateral movement into connected networks Because no credentials or user interaction are required, this vulnerability presents a high mass-exploitation risk. CVE-2026-25715 — PUSR USR-W610 Router (Critical) CVE-2026-25715 impacts the PUSR USR-W610 router and involves weak password requirements. If exploited, attackers can bypass authentication, compromise administrator credentials, or disrupt services. The risk is amplified by the vendor’s acknowledgment that the product has reached end-of-life and no patches are planned. Organizations are urged to isolate or replace affected devices immediately. Siemens Simcenter Vulnerabilities (High Severity Cluster) Multiple high-severity out-of-bounds read/write and buffer overflow vulnerabilities were disclosed in Siemens Simcenter Femap and Nastran products (CVE-2026-23715 through CVE-2026-23720). These flaws may enable memory corruption and potential code execution in industrial engineering environments. Impacted Critical Infrastructure Sectors Analysis of the 18 disclosed ICS vulnerabilities shows that Critical Manufacturing accounts for 61.1% of cases, with the sector appearing in 83.3% of all reported vulnerabilities. This concentration highlights the continued exposure of manufacturing environments and their interdependencies with Energy, Water, and Chemical sectors. Conclusion The combination of high-volume IT vulnerabilities, publicly available PoCs, underground exploit discussions, and critical ICS exposures underscores the evolving threat landscape across enterprise and industrial environments. With 166 PoCs already available and 9 KEV additions confirming active exploitation, organizations must adopt a risk-based vulnerability management approach that prioritizes: Rapid patching of internet-facing assets Strict network segmentation between IT and OT environments Removal or isolation of end-of-life devices Deployment of multi-factor authentication Continuous monitoring for anomalous behavior Routine vulnerability assessments and penetration testing Cyble’s attack surface management solutions enable organizations to continuously monitor exposures, prioritize remediation, and detect early warning signals of exploitation. Additionally, Cyble’s threat intelligence and third-party risk intelligence capabilities provide visibility into vulnerabilities actively discussed in underground communities, empowering proactive defense against both IT and ICS threats. The post The Week in Vulnerabilities: WordPress, BeyondTrust, and Critical ICS Bugs appeared first on Cyble.
Analysis Summary
As a vulnerability research specialist, here is the summary of the identified vulnerabilities in a clear, actionable format, focusing on the most detailed entries provided in the context:
***
# Vulnerability: WPvivid Backup & Migration Plugin File Upload & RCE
## CVE Details
- CVE ID: CVE-2026-1357
- CVSS Score: Not explicitly provided (Rated **Critical**)
- CWE: Not explicitly provided
## Affected Systems
- Products: WPvivid Backup & Migration Plugin for WordPress
- Versions: Not specified (Affects the plugin)
- Configurations: Standard WordPress installation using the affected plugin.
## Vulnerability Description
This is a critical unauthenticated **Arbitrary File Upload and Remote Code Execution (RCE)** vulnerability. The flaw is rooted in the improper handling of RSA decryption errors combined with unsanitized filename inputs, which allows an attacker to upload malicious PHP shells to publicly accessible directories.
## Exploitation
- Status: **PoC available**; Surfaced in underground discussions (indicating high likelihood of active exploitation).
- Complexity: Low (Unauthenticated access required).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (If shell executes, allows access to site data).
- Integrity: High (Arbitrary file upload leads to code execution).
- Availability: High (System compromise can lead to downtime).
## Remediation
### Patches
- Patch information not detailed in the summary. **Urgent action required.**
### Workarounds
- Immediately deactivate and remove the WPvivid Backup & Migration Plugin until a verified patch is applied.
- Restrict file upload capabilities system-wide if possible.
## Detection
- Monitor web server logs for unusual POST requests or file uploads containing PHP shell signatures targeting plugin directories.
- Monitor for the presence of newly created `.php` files in publicly accessible directories that were not part of the original installation.
## References
- Vendor Advisories: Not specified.
***
# Vulnerability: BeyondTrust Remote Support/PRA OS Command Injection
## CVE Details
- CVE ID: CVE-2026-1731
- CVSS Score: Not explicitly provided (Rated **Critical**)
- CWE: Not explicitly provided (OS Command Injection)
## Affected Systems
- Products: BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA).
- Versions: Not specified (Affects internet-facing instances).
- Configurations: Exposure via a WebSocket-based endpoint.
## Vulnerability Description
A critical **OS Command Injection** vulnerability resides within a WebSocket-based endpoint. This allows unauthenticated attackers to execute arbitrary operating system commands on internet-facing instances. Successful exploitation grants full system compromise, enabling data exfiltration, lateral movement, and persistent access.
## Exploitation
- Status: **PoC available**.
- Complexity: Low (Unauthenticated access required).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Full system compromise).
- Integrity: High (Arbitrary command execution).
- Availability: High (System compromise/disruption).
## Remediation
### Patches
- Patch information not detailed in the summary. **Urgent action required.** Assume active exploitation risk due to PoC availability.
### Workarounds
- **Immediate Isolation:** If possible, restrict external network access to the WebSocket endpoints for RS/PRA services until patched.
- Ensure MFA is enforced on all management interfaces, although this flaw exploits an unauthenticated endpoint bypass.
## Detection
- Monitor network traffic aimed at WebSocket endpoints for command injection patterns (e.g., `;`, `|`, `&` followed by system commands).
- Deploy endpoint detection and response (EDR) to flag unexpected command execution originating from BeyondTrust application processes.
## References
- Vendor Advisories: Not specified.
***
# Vulnerability: Pterodactyl Panel Unauthenticated RCE
## CVE Details
- CVE ID: CVE-2025-49132
- CVSS Score: Not explicitly provided (Rated **Critical**)
- CWE: Not explicitly provided
## Affected Systems
- Products: Pterodactyl Panel (Game-server management platform).
- Versions: Not specified.
- Configurations: Not specified.
## Vulnerability Description
This flaw allows **Unauthenticated Remote Code Execution (RCE)** resulting from improper validation of user-controlled parameters within the Pterodactyl Panel.
## Exploitation
- Status: Weaponized exploits observed being shared on **underground forums**.
- Complexity: Low/Medium (Requires network path to the panel).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High.
- Integrity: High (RCE).
- Availability: High.
## Remediation
### Patches
- Patch information not detailed in the summary. **Urgent action required.**
### Workarounds
- Immediately isolate the Pterodactyl Panel from public internet access.
- Implement strict firewall rules to limit access only to trusted internal networks if it cannot be taken offline.
## Detection
- Monitor panel access logs for unusual parameter usage or attempts to execute commands via administrative or configuration inputs.
## References
- Vendor Advisories: Not specified.
***
# Vulnerability: Honeywell CCTV Products - Admin Takeover (ICS)
## CVE Details
- CVE ID: CVE-2026-1670
- CVSS Score: **9.8** (High/Critical depending on metric interpretation)
- CWE: Not explicitly provided
## Affected Systems
- Products: Honeywell CCTV Products.
- Versions: Not specified.
- Configurations: Any internet-accessible instance.
## Vulnerability Description
This is a critical vulnerability allowing an unauthenticated attacker to **remotely alter the password recovery email address**. This leads directly to administrative account takeover, granting unauthorized access to live surveillance feeds and potential lateral movement into connected networks.
## Exploitation
- Status: High mass-exploitation risk due to **no authentication or user interaction required**.
- Complexity: Low.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Access to surveillance data).
- Integrity: High (Full administrative account takeover).
- Availability: Medium/High (Potential control over camera systems).
## Remediation
### Patches
- Patch information not detailed in the summary. Contact Honeywell/CISA immediately.
### Workarounds
- **Immediate Network Isolation:** Isolate affected Honeywell CCTV devices from the public internet and segment them strictly from the core IT network (IT/OT segmentation).
- Implement strong perimeter monitoring around all ICS/OT assets.
## Detection
- Monitor administrative configuration changes on CCTV management servers for unauthorized password recovery email modifications.
## References
- Vendor Advisories: CISA ICS Advisory related to Honeywell.
***
# Vulnerability: PUSR USR-W610 Router Authentication Bypass (ICS)
## CVE Details
- CVE ID: CVE-2026-25715
- CVSS Score: Not explicitly provided (Rated **Critical**)
- CWE: Weak Password Requirements
## Affected Systems
- Products: PUSR USR-W610 Router.
- Versions: Not specified.
- Configurations: Standard deployment.
## Vulnerability Description
The vulnerability stems from **weak password requirements**, enabling attackers to bypass authentication, compromise administrator credentials, or disrupt routing services. **Crucially, the vendor has reached end-of-life (EOL) and plans no patches.**
## Exploitation
- Status: High risk due to EOL status and lack of patch path.
- Complexity: Medium (Exploiting weak auth).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (If credentials stolen).
- Integrity: High (Service disruption/System compromise).
- Availability: High (Service disruption).
## Remediation
### Patches
- **None planned by the vendor.**
### Workarounds
- **Mandatory Action:** Organizations must **immediately replace or logically isolate/remove** all PUSR USR-W610 devices from the network. If isolation is temporary, enforce strict access controls via intermediate firewalls.
## Detection
- Monitor network edge devices for unexpected communication flows originating from known assets matching this device signature.
## References
- Vendor Advisories: CISA ICS Advisory.
***
## General Threat Landscape Summary & Actions
| Issue | Count | Action Priority |
| :--- | :--- | :--- |
| Total Vulnerabilities Tracked | 1,102 | Medium |
| Publicly Available PoCs | 166 | **High** (Prioritize these 166) |
| CISA KEV Additions (Confirmed Exploited) | 9 | **Critical** (Patch immediately) |
| Critical ICS Advisories Issued | 8 (covering 18 CVEs) | **Critical for OT Environments** |
**Key Takeaways for Organizations:**
1. **Prioritize Internet-Facing Assets:** Focus patching efforts first on systems where public PoCs exist (like CVE-2026-1357 and CVE-2026-1731).
2. **Address KEVs:** Patch the 9 vulnerabilities added to the CISA KEV catalog promptly, as these indicate active operationally mature threats.
3. **Isolate EOL OT:** Immediately remove or strictly segment end-of-life (EOL) devices like the PUSR USR-W610.
4. **Defense in Depth:** Ensure strict network segmentation between IT and OT environments, enforce MFA ubiquitously, and enhance monitoring for anomalous activity.