Cyble Vulnerability Intelligence researchers tracked 826 vulnerabilities in the last week, and more than 130 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 81 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 12 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

What follows are 15 IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers as meriting high-priority attention by security teams, including seven vulnerabilities under discussion by threat actors on the dark web. 

The Week’s Top IT Vulnerabilities 

CVE-2025-59367 is an authentication bypass vulnerability identified in certain ASUS DSL series routers. The flaw could potentially allow remote attackers to gain unauthorized access to affected systems without requiring any privileges or user interaction. 

CVE-2025-62215 is a race condition vulnerability in the Windows Kernel caused by improper synchronization when multiple threads access shared kernel resources concurrently. The flaw could allow an authorized local attacker to escalate privileges to the SYSTEM level by exploiting this race condition. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2025-64446 is a critical path traversal vulnerability in Fortinet FortiWeb, a web application firewall used to protect web applications. The vulnerability has been actively exploited in the wild since at least early October 2025, allowing unauthenticated remote attackers to create unauthorized administrative accounts on vulnerable devices by sending crafted HTTP POST requests that exploit relative path traversal. It also has been added to the CISA KEV catalog. 

CVE-2025-58034 is a high-severity OS command injection vulnerability in Fortinet FortiWeb. The flaw could allow an authenticated attacker to execute unauthorized operating system commands through crafted HTTP requests or CLI commands. The vulnerability has also been added to the CISA KEV catalog. 

CVE-2025-11001 is a high-severity remote code execution (RCE) vulnerability in the popular file archiving software 7-Zip. It arises from a flaw in the way 7-Zip parses ZIP file directories, potentially allowing an attacker to craft a malicious archive that triggers a directory traversal. Proof-of-concept exploits have been publicly released, making it easier for attackers to weaponize. 

Vulnerabilities Under Discussion on the Dark Web

Cyble dark web researchers observed threat actors on underground and cybercrime forums discussing weaponizing several vulnerabilities, among them: 

CVE-2025-64495: A high-severity stored DOM-based Cross-Site Scripting (XSS) vulnerability in Open WebUI, a self-hosted artificial intelligence platform, affecting versions 0.6.34 and below. The vulnerability exists in the chat window’s prompt insertion feature, where user-controlled HTML from custom prompts is assigned directly to the DOM sink .innerHTML without proper sanitization when the “Insert Prompt as Rich Text” setting is enabled. While the marked library is used to parse the content, it does not sanitize HTML, potentially allowing attackers with low-level privileges to create malicious prompts containing JavaScript payloads that execute when other users insert those prompts via slash commands. 

CVE-2025-60710: A high-severity local privilege escalation vulnerability in the Host Process for Windows Tasks affecting Microsoft Windows 11 Version 25H2 (build 10.0.26200.0). The vulnerability involves improper link resolution before file access. The flaw potentially allows an authorized attacker with limited local privileges to exploit improper handling of symbolic links or junction points in the Host Process for Windows Tasks, redirecting file operations to unintended locations and escalating their privileges. 

CVE-2025-26686: A Windows TCP/IP remote code execution (RCE) vulnerability caused by sensitive data being stored in improperly locked memory, potentially allowing a network attacker to execute arbitrary code when specific network traffic (notably DHCPv6) is processed on affected Windows systems. 

CVE-2025-10230: A 10.0-severity unauthenticated remote command execution vulnerability in Samba’s WINS “wins hook” handling on Active Directory Domain Controllers, exploitable over the network with no user interaction when a specific, legacy WINS configuration is enabled. 

CVE-2025-12101: A medium-severity reflected cross-site scripting (XSS) vulnerability in Citrix NetScaler ADC and NetScaler Gateway when configured as a Gateway or AAA virtual server, affecting SSO flows and potentially allowing attacker-controlled JavaScript execution in a victim’s browser. 

CVE-2025-59118: A high-severity unrestricted file upload vulnerability in Apache OFBiz before 24.09.03 that can be leveraged for unauthenticated remote code execution on affected servers. The flaw potentially allows a remote attacker to upload arbitrary files of dangerous types (for example, scripts or binaries) because OFBiz does not properly restrict or validate uploaded content in the vulnerable path. 

CVE-2025-21042: A high-severity out‑of‑bounds write vulnerability in Samsung’s libimagecodec.quram.so image‑processing library that allows remote, often zero‑click, arbitrary code execution on affected Galaxy devices and has been exploited in the wild to deploy the LANDFALL Android spyware. 

ICS Vulnerabilities

Cyble threat intelligence researchers also flagged three industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. 

CVE-2025-58083 affects the General Industrial Controls Lynx+ Gateway, an industrial protocol converter and gateway device designed to connect and enable seamless communication between different industrial network devices. The embedded web server of this device lacks essential authentication protection for critical functions, potentially allowing an unauthenticated remote attacker to reset the device without user interaction. 

CVE-2025-11862 is an Incorrect Authorization vulnerability in multiple versions of Rockwell Automation Verve Asset Manager. Successful exploitation of this vulnerability could allow an attacker to access or alter user data. 

CVE-2025-41733 is an Authentication Bypass vulnerability affecting multiple versions of METZ CONNECT EWIO2. Successful exploitation could allow an attacker to bypass authentication and remotely control the device or execute remote code. 

Conclusion

The high number of critical and exploited vulnerabilities in this week’s report underscores the ever-present threats facing security teams, who must respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.