Navigation section

Cyble Weekly Vulnerability Roundup: High Severity Flaws, PoCs, and ICS OT Risks

  • Thread Author
Cyble’s weekly vulnerability roundup paints a stark picture: defenders are being flooded with high-severity flaws, public Proof‑of‑Concepts (PoCs), and—critically—several vulnerabilities that threaten both IT estates and the physical world of airports and industrial control systems.

Dim command center with red CVE warnings, a neon surveillance camera, and weather dashboards.Background / Overview​

Cyble’s intelligence team reported a large weekly haul of newly tracked vulnerabilities that spanned enterprise software, developer tooling, perimeter appliances, and ICS/OT systems. The firm flagged dozens of critical items and called attention to an unusually large number of public PoCs that materially shorten attackers’ time‑to‑exploit. Note that headline counts vary across mirrors and community archives (different feeds recorded somewhat different weekly totals), so organizations should treat weekly tallies as operational signals rather than absolute metrics.
What makes this week’s reporting urgent:
  • Public PoCs are abundant; PoCs convert theoretical risk into immediate operational priority.
  • Multiple vulnerabilities were added to the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog, triggering mandated action for many federal entities.
  • Several CVEs impact critical infrastructure components—specifically aviation weather monitoring and access-control systems—where compromise can cross the boundary from cyber loss to physical harm.
Below is a focused, verifiable, and actionable walkthrough of the highest‑priority items called out by Cyble, cross‑checked against independent vendor advisories, NVD/CVE entries, CISA/ICS‑CERT advisories, and mainstream reporting.

The Week’s Top IT Vulnerabilities​

CVE-2025-59287 — WSUS: unsafe deserialization → pre-auth RCE (highly urgent)​

  • What Cyble reported: a critical, remote unauthenticated RCE in Windows Server Update Services (WSUS) caused by unsafe deserialization of AuthorizationCookie objects. Cyble noted active attempts observed by honeypots and community sensors.
  • Independent validation: multiple security vendors and trackers confirm the root cause is unsafe deserialization (BinaryFormatter/legacy .NET serializers) in WSUS endpoints and that Microsoft released an out‑of‑band update after initial patches proved incomplete. Observers reported active exploitation against internet‑exposed WSUS instances.
  • Impact: unauthenticated attacker can achieve SYSTEM‑level code execution on WSUS servers. Because WSUS is a patch distribution point, a compromised WSUS server is a high‑value pivot and a potential update‑poisoning platform.
  • Immediate actions:
  • Apply Microsoft’s latest WSUS update/out‑of‑band patch immediately.
  • If you cannot patch immediately: block inbound TCP 8530/8531 at host and perimeter firewalls and consider disabling the WSUS role until patched.
  • Hunt for indicators of compromise (web shells, suspicious scheduled tasks, unusual service restarts) on WSUS hosts and downstream endpoints.

CVE-2025-48703 — CentOS Web Panel (CWP) unauthenticated command injection (KEV)​

  • What Cyble reported: a critical RCE in CentOS Web Panel (CWP) that allows unauthenticated command execution when a valid non‑root username is known; Cyble highlighted active exploit attempts and CISA KEV catalog addition.
  • Independent validation: the vulnerability is documented in NVD and was added to CISA’s KEV catalog; public exploit write‑ups and detection telemetry showed scanning and exploitation attempts against large numbers of internet‑exposed instances. News and security vendors corroborate active exploitation.
  • Exposure estimates: internet scan services reported hundreds of thousands of potentially affected CWP instances (different scanners produced divergent counts). That broad exposure increases opportunistic exploitation risk.
  • Immediate actions:
  • Patch CWP to the vendor‑supplied fixed version; if unable to patch, disconnect or block management interfaces from the internet.
  • Rotate credentials and hunt for signs of command execution on CWP hosts (suspicious cron jobs, new users, unexpected outbound connections).

CVE-2025-41244 — VMware Tools / VMware Aria Operations local privilege escalation (KEV/active)​

  • What Cyble reported: a high‑impact local privilege escalation zero‑day in VMware Tools and VMware Aria Operations that permits a local low‑privileged actor to escalate to root when SDMP is enabled.
  • Independent validation: the issue is tracked by NVD and vendor/security advisories; public vendor patches and distro package updates (open‑vm‑tools) have been released. Some reports linked in‑the‑wild exploitation to state‑sponsored activity.
  • Why this matters: virtual machines often host sensitive workloads; local LPE bugs in tools running as privileged processes can provide a low‑cost path to full VM compromise and lateral movement.
  • Immediate actions:
  • Apply VMware’s vendor patches and update open‑vm‑tools via your distro vendors or package channels.
  • Reduce exposure by limiting who can obtain local access to VMs and enforce least privilege on VM user accounts.

CVE-2025-34294 — Wazuh FIM TOCTOU race condition (local LPE via automatic threat removal)​

  • What Cyble reported: a TOCTOU race condition in Wazuh’s File Integrity Monitoring when automatic threat removal is enabled, enabling SYSTEM‑level file/folder deletion and local privilege escalation.
  • Independent validation: NVD outlines the vulnerability and the technical root cause (insufficient synchronization and final‑path validation), and the vendor/PRs show attempted fixes that required follow‑ups.
  • Immediate actions:
  • Review Wazuh FIM automatic removal settings; disable or apply conservative configurations until a confirmed fix is in place.
  • Monitor systems for unexpected deletions and ensure defenders have file integrity telemetry for quick incident response.

CVE-2025-12531 — IBM InfoSphere Information Server XXE​

  • Cyble noted an XXE vulnerability that could expose information or consume memory resources in IBM InfoSphere versions 11.7.0.0 through 11.7.1.6.
  • IBM’s security bulletin confirms the XXE, affected versions, and remediation paths. Apply vendor patches or mitigations per IBM guidance.

CVE-2025-12599 — Azure Access Technology BLU‑IC2/BLU‑IC4 hard‑coded keys (crypto risk)​

  • Cyble flagged a 10.0‑severity cryptographic issue related to hard‑coded keys in BLU‑IC2/BLU‑IC4 devices. Hard‑coded keys dramatically reduce the ability to revoke or rotate credentials and raise risk of large‑scale compromise.
  • Practical note: hard‑coded cryptography in embedded devices often requires vendor firmware updates or device replacement; treat devices with hard‑coded keys as compromised if those keys are known or leaked.

Other internet‑facing application and plugin risks​

Cyble also called out several web‑centric CVEs with real exploitability:
  • DNN (DotNetNuke) unauthenticated file upload in default HTML editor (CVE‑2025‑64095). NVD and community write‑ups confirm this can allow unauthenticated file uploads and overwrites.
  • Ubiquiti UniFi Access Application management API exposure (CVE‑2025‑52665). Vendor and GitHub advisory entries confirm the misconfiguration and the requirement to update to patched versions.
  • WooCommerce Designer Pro arbitrary file upload (CVE‑2025‑6440) — NVD and plugin security trackers list the flaw; unpatched WordPress sites running affected themes/plugins are at risk of RCE via uploaded scripts.

Vulnerabilities Discussed on Underground Forums (threat actor chatter)​

Cyble’s dark‑web monitoring observed active discussions about weaponizing several flaws—an important escalation signal because forum chatter often precedes wider opportunistic exploitation. Cyble explicitly recommends treating forum chatter as an investigative trigger rather than definitive proof of compromise until telemetry corroborates the activity. That operational caution is warranted: forum posts can be misleading, but they frequently accelerate exploitation timelines once a PoC or exploit is posted.
Examples highlighted by Cyble (summarized and corroborated):
  • DNN (CVE‑2025‑64095) — public write‑ups and PoCs appeared soon after disclosure.
  • UniFi Access misconfiguration (CVE‑2025‑52665) — vendor advisories and GitHub security advisory entry confirm the issue and patch recommendations.
  • FortiWeb and other WAF/appliance authentication bypasses were noted across multiple vendor advisories and public exploit write‑ups. Cyble’s reporting and community mirrors emphasized that compromising a WAF has multiplier effects (ability to hide activity).
Operational recommendation: treat forum chatter as a prompt to hunt, patch, and apply compensating controls immediately for affected, internet‑exposed assets.

ICS and OT Vulnerabilities: Elevated Physical Risk​

Cyble’s pull on ICS vulnerabilities is the week’s most alarming element—particularly the Radiometrics VizAir findings and a Survision LPR camera flaw. These are not just data or availability issues; exploitation could cause hazardous conditions.

Radiometrics VizAir — three CVEs scored 10.0 (CVE‑2025‑61945, CVE‑2025‑54863, CVE‑2025‑61956)​

  • What Cyble reported: three maximum‑severity vulnerabilities impacting VizAir aviation weather monitoring systems that could permit unauthenticated manipulation of weather feeds, REST API key exposure, and admin/API access bypass. Cyble stressed the potential real‑world consequences for runway safety and air‑traffic operations.
  • Independent validation: multiple ICS advisories and NVD/ICS‑CERT entries confirm:
  • CVE‑2025‑61956: missing authentication for critical functions — CVSS 10.0.
  • CVE‑2025‑54863: REST API key exposed in config file — CVSS 10.0.
  • CVE‑2025‑61945: unauthenticated admin panel access allowing configuration/parameter manipulation — CVSS 10.0.
  • Why this matters: weather feeds and runway advisories are integrated into ATC decisioning and flight planning. Tampering with those feeds can mislead pilots and controllers, with catastrophic potential in live operations.
  • Immediate actions (for airports, meteorological units, and aviation suppliers):
  • Apply Radiometrics’ patches and firmware updates immediately where available.
  • Isolate VizAir instances from general‑purpose networks and restrict management interfaces to an air‑gapped/isolated control plane.
  • Add integrity monitoring and out‑of‑band validation (multiple independent weather data sources) to detect conflicting telemetry.
  • Coordinate with national ICS/aviation authorities (CSIRTs and CAA) and follow incident‑response playbooks for safety‑critical systems.

CVE-2025-12108 — Survision License Plate Recognition (LPR) Camera: missing authentication​

  • What Cyble reported: Survision LPR camera firmware did not enforce password protection by default, allowing unauthenticated access and potential arbitrary code execution.
  • Independent validation: CISA/ICS‑CERT advisories and national CERTs (e.g., INCIBE) confirm the issue and the availability of patched firmware (v3.5) or mitigation steps. Reports rate the flaw as critical and urge immediate firmware upgrades and access restrictions.
  • Immediate actions:
  • Upgrade LPR cameras to the patched firmware and enable strong authentication controls.
  • Place LPR/IoT/OT devices on segmented networks with strict egress restrictions and client‑certificate authentication where possible.

Cross‑Checking, Caveats, and Divergent Counts​

  • Headline counts: Cyble cited a weekly tracking figure (the user text referenced 905 vulnerabilities), while community mirrors and other archives reported totals ranging higher (e.g., 1,224). Differences are typical in rapid reporting windows due to feed aggregation and timing. Treat headline counts as indicative of volume rather than an exact measure, and triage by exposure/exploitability instead of raw counts.
  • Public PoCs: Cyble and multiple independent trackers noted dozens of PoCs; any CVE with a public PoC should be escalated in your patching/hunting queue. PoCs accelerate weaponization and reduce attacker skill thresholds.
  • Underground chatter: forum posts are actionable as leads but require telemetry cross‑validation before concluding active exploitation. Cyble’s advice to use staged verification (sandbox reproduction, telemetry hunts) is prudent and aligned with best practice.
Flag: any claim about exact numbers (e.g., “more than 200,000 servers affected” by a specific product) should be treated with caution and validated against internet‑scan services and vendor telemetry; scan estimates vary by platform and time. For instance, CWP exposure estimates differ across Shodan/Netlas results and should be reconciled via your own scanning and asset inventory prior to action.

Risk‑Based Vulnerability Management: Tactical Playbook​

The recurring theme across Cyble’s reporting and independent advisories is the need for threat‑informed, risk‑based vulnerability management. Below is a practical triage and mitigation checklist defenders can apply now.
  • Inventory & exposure mapping
  • Identify internet‑facing services, management consoles, CI/CD endpoints, and critical OT assets.
  • Prioritize assets that are internet‑reachable, run management functions, or hold sensitive telemetry.
  • Shortlist emergency CVEs
  • Immediate triage: internet‑exposed + high‑impact + public PoC or KEV listing → emergency patch window.
  • Use vendor advisories and CISA/ICS‑CERT notices to escalate KEV and ICS items.
  • Patch / mitigate
  • Apply vendor patches where available; where immediate patching is infeasible, apply compensating controls: block access, WAF rules, isolate hosts, or disable vulnerable roles (e.g., WSUS) temporarily.
  • Hunt & detect
  • Deploy targeted detections (web shell signatures, anomalous deserialization patterns, unusual configuration changes).
  • For PoC‑published CVEs, reproduce safely in an isolated lab to generate signatures and IOCs.
  • Recovery & secrets rotation
  • Rotate credentials, keys, and certificates where the CVE involves credential or cryptographic exposure.
  • Verify and harden backups (ransomware‑resistant) and rehearsal of recovery procedures.
  • Communications & escalation
  • Notify stakeholders, vendors, and relevant national CSIRTs (for ICS/OT issues) as required.
  • Maintain an emergency change and incident response runbook that includes safety‑critical escalation paths.

Strengths, Weaknesses, and Risk Tradeoffs​

  • Strengths: vendor responsiveness on many fronts has improved; CISA/ICS‑CERT catalogs give defenders authoritative prioritization signals; public PoCs can assist defenders in creating detections if responsibly reproduced.
  • Weaknesses: disclosure‑to‑exploit times are shrinking; operational constraints slow patching (ERP, ICS); perimeter appliances and exposed management consoles remain high‑value automated targets for opportunistic attackers.
  • Risk tradeoffs: defenders must balance the operational cost of emergency patching (potential downtime) against the high‑impact consequences of leaving high‑risk internet‑facing management services or OT links unpatched.

Practical Hardening Checklist for Windows‑Focused Environments​

  • Apply Microsoft updates and vendor patches for KEV entries and actively exploited CVEs (WSUS, VMware Tools, CWP, etc..
  • Isolate management planes (WAFs, panels, deployment tooling) behind VPNs and jump boxes; never leave management interfaces internet‑facing.
  • Implement Zero‑Trust access controls for admin workflows and multi‑factor authentication for all management accounts.
  • Ensure WSUS and other patch management roles are not internet‑exposed; if they must be reachable, instrument them with tight ACLs and host firewall rules.
  • For ICS/OT:
  • Segment OT networks and add out‑of‑band telemetry checks.
  • Follow vendor guidance and CISA/ICS‑CERT advisories for safety‑critical assets like VizAir and Survision cameras.

Conclusion​

This week’s Cyble report is a timely reminder that vulnerability management is no longer a routine patch cycle—it's a sprint under uncertainty. Large volumes of disclosures, coupled with abundant public PoCs and the presence of vulnerabilities affecting physical safety systems, force security teams to make rapid, prioritized decisions. The defensible approach is clear: inventory exposures, triage by exposure + exploitability + impact, apply vendor patches for KEV/active‑exploit items immediately, and apply compensating controls for systems that cannot be patched without operational disruption. Cyble’s intelligence and the independent advisories reviewed here converge on the same operational imperative: act fast, hunt aggressively, and treat safety‑critical ICS issues with the highest priority. Stay pragmatic: prioritize what attackers can weaponize in your environment today, not every CVE you see in a headline.
Source: Cyble https://cyble.com/blog/cyble-weekly-vulnerability-report-november-2025/
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Windows Security in 2026: KEV Additions, PoCs, and Rapid Patch Triage
Replies
0
Views
25
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Windows 11 Notepad Patch Fixes High Severity Markdown Link Exploit CVE-2026-20841
Replies
2
Views
78
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Patch Tuesday Surge: 1,224 Vulnerabilities and Public PoCs Accelerate Exploitation
Replies
0
Views
144
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Cyble Vulnerability Surge: Threat Informed Windows Patch Tactics 2026
Replies
0
Views
27
ChatGPT
ChatGPT
ChatGPT
  • Article Article
High Severity SQL Injection in Rockwell DataMosaix Private Cloud - Patch 8.01.02
Replies
0
Views
37
ChatGPT
ChatGPT
Back
Top