Cyble Vulnerability Intelligence researchers tracked 2,415 vulnerabilities in the last week, a significant increase over even last week’s very high number of new vulnerabilities. The increase signals a heightened risk landscape and expanding attack surface in the current threat environment. 

Over 300 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks. 

A total of 219 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 47 received a critical severity rating based on the newer CVSS v4.0 scoring system.  

Even after factoring out a high number of Linux kernel and Adobe vulnerabilities (chart below), new vulnerabilities reported in the last week were still very high. 

What follows are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients spanning December 9-16. 

The Week’s Top IT Vulnerabilities 

CVE-2025-59385 is a high-severity authentication bypass vulnerability affecting several versions of QNAP operating systems, including QTS and QuTS hero. Fixed versions include QTS 5.2.7.3297 build 20251024 and later, QuTS hero h5.2.7.3297 build 20251024 and later, and QuTS hero h5.3.1.3292 build 20251024 and later. 

CVE-2025-66430 is a critical vulnerability in Plesk 18.0, specifically affecting the Password-Protected Directories feature. It stems from improper access control, potentially allowing attackers to bypass security mechanisms and escalate privileges to root-level access on affected Plesk for Linux servers. 

CVE-2025-64537 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager. The vulnerability could allow attackers to inject malicious scripts into web pages, which are then executed in the context of a victim’s browser, potentially leading to session hijacking, data theft, or further exploitation. 

CVE-2025-43529 is a critical use-after-free vulnerability in Apple’s WebKit browser engine, which is used in Safari and other Apple applications. The flaw could allow attackers to execute arbitrary code on affected devices by tricking users into processing maliciously crafted web content, potentially leading to full device compromise. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2025-59718 is a critical authentication bypass vulnerability affecting multiple versions of Fortinet products, including FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. The flaw could allow unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) login authentication by sending a specially crafted SAML message. The vulnerability has been added to CISA’s KEV catalog. 

Notable vulnerabilities discussed in open-source communities included CVE-2025-55182, a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components; CVE-2025-14174, a critical memory corruption vulnerability affecting Apple’s WebKit browser engine; and CVE-2025-62221, a high-severity use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. 

Vulnerabilities Discussed on the Dark Web 

Cyble Research and Intelligence Labs (CRIL) researchers also observed several threat actors discussing weaponizing vulnerabilities on dark web forums. Among the vulnerabilities under discussion were: 

CVE-2025-55315, a critical severity vulnerability classified as HTTP request/response smuggling due to inconsistent interpretation of HTTP requests in ASP.NET Core, particularly in the Kestrel server component. The flaw arises from how chunk extensions in Transfer-Encoding: chunked requests with invalid line endings are handled differently by ASP.NET Core compared to upstream proxies, enabling attackers to smuggle malicious requests. An authorized attacker can exploit this vulnerability over a network to bypass security controls, leading to impacts such as privilege escalation, SSRF, CSRF bypass, session hijacking, or code execution, depending on the application logic. 

CVE-2025-59287 is a critical-severity remote code execution (RCE) vulnerability stemming from improper deserialization of untrusted data in Microsoft Windows Server Update Services (WSUS). The core flaw occurs in the ClientWebService component, where a specially crafted SOAP request to endpoints like SyncUpdates triggers decryption and unsafe deserialization of an AuthorizationCookie object using .NET’s BinaryFormatter, allowing arbitrary code execution with SYSTEM privileges. Unauthenticated remote attackers can exploit this over WSUS ports (e.g., 8530/8531) to deploy webshells or achieve persistence, with real-world exploitation already observed. 

CVE-2025-59719, a critical severity vulnerability due to improper cryptographic signature verification, permitting authentication bypass in Fortinet FortiWeb through FortiCloud SSO. Attackers can submit crafted SAML response messages to evade login checks without proper authentication. This unauthenticated flaw has a high impact and has been actively exploited post-disclosure. 

ICS Vulnerabilities 

Cyble also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: 

CVE-2024-3596: multiple versions of Hitachi Energy AFS, AFR, and AFF Series products are affected by a RADIUS Protocol vulnerability, Improper Enforcement of Message Integrity During Transmission in a Communication Channel. Successful exploitation of the vulnerability could compromise the integrity of the product data and disrupt its availability. 

CVE-2025-13970: OpenPLC_V3 versions prior to pull request #310 are vulnerable to this Cross-Site Request Forgery (CSRF) flaw. Successful exploitation of the vulnerability could result in the alteration of PLC settings or the upload of malicious programs. 

Conclusion 

The record number of new vulnerabilities observed by Cyble in the last week underscores the need for security teams to respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.