Vital SolarWinds, Ivanti EPMM, Microsoft Workplace, and Siemens ICS vulnerabilities are being mentioned on underground boards, whereas 15 CISA ICS advisories impacted Power and Vital Manufacturing sectors.
Cyble Analysis & Intelligence Labs (CRIL) tracked 1,158 vulnerabilities final week. Of those, 251 vulnerabilities have already got publicly out there Proof-of-Idea (PoC) exploits, considerably growing the probability of real-world assaults.
A complete of 94 vulnerabilities have been rated crucial below CVSS v3.1, whereas 43 have been rated crucial below CVSS v4.0.
In parallel, CISA issued 15 ICS advisories masking 87 vulnerabilities affecting industrial environments. These vulnerabilities impacted distributors together with Siemens, Yokogawa, AVEVA, Hitachi Power, ZLAN, ZOLL, and Airleader.
Moreover, 8 vulnerabilities have been added to CISA’s Identified Exploited Vulnerabilities (KEV) catalog, reflecting confirmed exploitation within the wild.
The Week’s High Vulnerabilities
CVE-2025-40554 — SolarWinds Internet Assist Desk (Vital)
CVE-2025-40554 is a crucial authentication bypass vulnerability affecting SolarWinds Internet Assist Desk variations previous to 2026.1. The flaw permits unauthenticated distant attackers to invoke privileged performance with out legitimate credentials, doubtlessly resulting in full compromise of helpdesk programs.
Cyble noticed this vulnerability being mentioned on underground boards shortly after disclosure, and a public PoC is offered. The vulnerability’s presence in enterprise environments will increase the danger of preliminary entry and lateral motion.
CVE-2026-1340 — Ivanti Endpoint Supervisor Cellular (Vital)
CVE-2026-1340 is a crucial code injection vulnerability in Ivanti Endpoint Supervisor Cellular (EPMM). A distant, unauthenticated attacker can exploit the flaw to realize arbitrary distant code execution with out consumer interplay.
The vulnerability has been captured in darkish internet discussions and has a publicly out there PoC , considerably reducing the barrier to exploitation.
CVE-2026-21509 — Microsoft Workplace (Excessive Severity, Actively Exploited)
CVE-2026-21509 is a feature-bypass vulnerability in Microsoft Workplace that enables crafted paperwork to avoid built-in safety protections. Attackers can ship malicious Workplace recordsdata that execute payloads as soon as opened by the sufferer.
The flaw has been actively exploited by risk actors together with APT28 and RomCom , highlighting its operational impression.
CVE-2026-1529 — Keycloak (Excessive Affect)
CVE-2026-1529 impacts Pink Hat’s Keycloak and entails improper validation of JWT invitation token signatures. Attackers can manipulate trusted token contents to achieve unauthorized entry to organizational assets.
A PoC is offered, and the vulnerability surfaced on underground boards shortly after disclosure.
CVE-2026-23906 — Apache Druid (Vital)
CVE-2026-23906 is a crucial authentication bypass vulnerability in Apache Druid, enabling unauthorized entry to delicate information shops.
CVE-2026-0488 — SAP CRM & SAP S/4HANA (Vital)
CVE-2026-0488 is a crucial code injection vulnerability affecting SAP CRM and SAP S/4HANA. An authenticated attacker can exploit improper perform module calls to execute arbitrary SQL statements, doubtlessly leading to full database compromise.
Vulnerabilities Added to CISA KEV
CISA added 8 vulnerabilities to the KEV catalog in the course of the reporting interval. A very powerful of those have been:
- CVE-2026-24423 — SmarterTools SmarterMail unauthenticated RCE
- CVE-2026-21510 — Microsoft Home windows Shell safety mechanism bypass
KEV additions mirror confirmed exploitation within the wild and sometimes sign heightened ransomware or espionage exercise.
Vital ICS Vulnerabilities
CISA issued 15 ICS advisories masking 87 vulnerabilities, with the bulk rated excessive severity.
CVE-2026-25084 & CVE-2026-24789 — ZLAN5143D (Vital)
These crucial vulnerabilities in ZLAN Info Know-how Co.’s ZLAN5143D gadget contain lacking authentication for crucial capabilities.
Profitable exploitation may permit attackers to bypass authentication controls or reset gadget passwords, doubtlessly enabling unauthorized configuration modifications and interference with industrial communications. Researchers additionally recognized internet-facing cases, growing publicity threat.
CVE-2025-52533 — Siemens SINEC OS (Vital)
CVE-2025-52533 is a crucial out-of-bounds write vulnerability in Siemens SINEC OS earlier than model 3.3, doubtlessly enabling reminiscence corruption and system compromise in industrial community environments.
CVE-2026-1358 — Airleader Grasp (Vital)
CVE-2026-1358 is a crucial, unrestricted file-upload vulnerability in Airleader Grasp programs. Profitable exploitation may permit attackers to add malicious recordsdata, doubtlessly leading to distant code execution in OT environments.
Impacted Vital Infrastructure Sectors
Evaluation of the ICS advisories exhibits that Vital Manufacturing and Power sectors seem in 98.9% of reported vulnerabilities, showcasing concentrated publicity in these environments.
The cross-sector nature of those vulnerabilities underscores the interdependencies between Power, Manufacturing, Transportation, Water, and Meals programs.
Conclusion
The convergence of high-volume IT vulnerabilities and important ICS publicity highlights the continued growth of the assault floor throughout enterprise and industrial environments. With over 250 PoCs publicly out there and a number of KEV additions confirming energetic exploitation, organizations should prioritize speedy remediation and risk-based vulnerability administration.
Safety finest practices embrace:
- Prioritizing vulnerabilities primarily based on threat and exploit availability
- Defending web-facing and internet-exposed property
- Implementing strict IT/OT community segmentation
- Deploying multi-factor authentication and robust entry controls
- Conducting common vulnerability assessments and penetration testing
- Monitoring underground boards and KEV updates for early warning indicators
- Establishing ransomware-resistant backup methods
- Sustaining OT-specific incident response procedures
Cyble’s complete assault floor administration options assist organizations constantly monitor inside and exterior property, prioritize remediation, and detect early warning indicators of exploitation. Moreover, Cyble’s risk intelligence and third-party threat intelligence capabilities present visibility into vulnerabilities actively mentioned in underground communities, enabling proactive protection in opposition to each IT and ICS threats.
