SolarWinds Net Assist Desk and OpenClaw flaws are among the many vulnerabilities, drawing vital curiosity by risk actors.
Cyble Vulnerability Intelligence researchers tracked 1,093 vulnerabilities in the final week, and properly over 200 of the disclosed vulnerabilities have already got a publicly obtainable Proof-of-Idea (PoC), considerably rising the chance of real-world assaults on these vulnerabilities.
A complete of 83 vulnerabilities have been rated as vital underneath the CVSS v3.1 scoring system, whereas 28 acquired a vital severity ranking primarily based on the newer CVSS v4.0 scoring system.
Listed below are a number of the IT and ICS vulnerabilities flagged by Cyble risk intelligence researchers for prioritization by safety groups, together with some which were utilized in ransomware assaults.
The Week’s High Vulnerabilities
CVE-2026-25253, a vital vulnerability within the OpenClaw open-source AI private assistant (often known as clawdbot or Moltbot), has been getting consideration each from the safety group and risk actors in underground boards. In variations earlier than 2026.1.29, the appliance obtains a gatewayUrl from a question string and robotically connects by way of WebSocket with out person affirmation, probably leaking the delicate auth token to attacker-controlled servers. This may allow unauthorized entry to the sufferer’s OpenClaw occasion.
CVE-2025-40554 is one other vulnerability noticed by Cyble to be underneath dialogue by risk actors on the darkish internet. The vital authentication bypass vulnerability in SolarWinds Net Assist Desk may enable unauthenticated distant attackers to exploit a weak authentication mechanism to invoke privileged actions and strategies with out credentials, over the community with low complexity and no person interplay.
CISA added one other SolarWinds Net Assist Desk vulnerability, CVE-2025-40551, to its Recognized Exploited Vulnerabilities (KEV) catalog. The vital untrusted information deserialization vulnerability in SolarWinds Net Assist Desk may enable unauthenticated distant attackers to ship crafted requests over the community, triggering distant code execution (RCE) and enabling arbitrary command execution on the host machine with full system privileges.
One other vulnerability added to the CISA KEV catalog was CVE-2026-1281, a vital code injection vulnerability in Ivanti Endpoint Supervisor Cell (EPMM) that would enable unauthenticated distant code execution (RCE) by way of improper enter sanitization, the place attackers may ship crafted requests to execute arbitrary code with out privileges or person interplay.
Different vulnerabilities added to the KEV catalog included CVE-2021-39935, a high-severity Server-Aspect Request Forgery (SSRF) vulnerability in GitLab Group Version (CE) and Enterprise Version (EE), and CVE-2025-11953, a React Native Group CLI OS Command Injection vulnerability.
CVE-2025-8088, a path traversal vulnerability in WinRAR, has been producing dialogue in open-source communities. A number of risk actors, together with nation-state adversaries and financially motivated teams, have reportedly been exploiting the flaw to set up preliminary entry and deploy a various array of payloads.
CVE-2025-22225, a high-severity arbitrary write vulnerability in VMware ESXi hypervisors and associated merchandise like Cloud Basis and Telco Cloud Infrastructure, has additionally generated vital dialogue and was lately decided by CISA to be exploited by ransomware teams (see subsequent part beneath).
Vulnerabilities Utilized in Ransomware Assaults
Up to now this yr, CISA has modified the standing of six KEV catalog vulnerabilities to replicate proof of exploitation by ransomware teams. The six vulnerabilities embody:
- CVE-2026-24423, a SmarterTools SmarterMail Lacking Authentication for Vital Operate vulnerability
- CVE-2024-30088, a Microsoft Home windows Kernel TOCTOU Race Situation vulnerability
- CVE-2024-9680, a Mozilla Firefox Use-After-Free vulnerability
- CVE-2024-51567, a CyberPanel Incorrect Default Permissions vulnerability
- CVE-2024-49039, a Microsoft Home windows Job Scheduler Privilege Escalation vulnerability
Vital ICS Vulnerabilities
Cyble flagged the next industrial management system (ICS) vulnerabilities for prioritization by safety groups in current experiences to purchasers.
CVE-2026-1632 is a vital vulnerability in RISS SRL’s MOMA Seismic Station software program. The flaw entails the online administration interface being uncovered with out authentication, probably enabling unauthenticated attackers to modify configurations, entry seismic information, or reset the gadget remotely over the community.
CVE-2025-26385 is a maximum-severity Johnson Controls Metasys techniques command-injection vulnerability. The flaw allows unauthenticated distant SQL injection, probably permitting attackers to compromise constructing administration techniques that management HVAC, lighting, safety, and life-safety features throughout a number of vital infrastructure sectors.
CVE-2025-40805 is a maximum-severity Authorization Bypass vulnerability affecting Siemens Industrial Edge Gadgets, HMI Panels, and IPC gadgets.
CVE-2025-10492 is a Java deserialization vulnerability in the Jaspersoft Library that impacts Hitachi Power Asset Suite variations 9.7 and earlier.
Conclusion
Within the face of great threats to IT and ICS environments, safety groups should concentrate on defenses that shield their most crucial property and construct resilience to put together for any incidents that do happen. Cybersecurity finest practices that may assist embody:
- Defending web-facing property.
- Segmenting networks and significant property.
- Hardening endpoints and infrastructure.
- Sturdy entry controls, permitting no extra entry than is required, with frequent verification.
- A powerful supply of person id and authentication, together with multi-factor authentication and biometrics, in addition to machine authentication with gadget compliance and well being checks.
- Encryption of information at relaxation and in transit.
- Ransomware-resistant backups which are immutable, air-gapped, and remoted as a lot as doable.
- Honeypots that lure attackers to faux property for early breach detection.
- Correct configuration of APIs and cloud service connections.
- Monitoring for uncommon and anomalous exercise with SIEM, Lively Listing monitoring, endpoint safety, and information loss prevention (DLP) instruments.
- Routinely assessing and confirming controls by audits, vulnerability scanning, and penetration checks.
Cyble’s complete assault floor administration options may also help by scanning community and cloud property for exposures and prioritizing fixes, along with monitoring for leaked credentials and different early warning indicators of main cyberattacks.
Moreover, Cyble’s third-party threat intelligence can assist organizations rigorously vet companions and suppliers, offering an early warning of potential dangers.
