Full Report
Cyble Vulnerability Intelligence researchers tracked 2,415 vulnerabilities in the last week, a significant increase over even last week’s very high number of new vulnerabilities. The increase signals a heightened risk landscape and expanding attack surface in the current threat environment. Over 300 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks. A total of 219 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 47 received a critical severity rating based on the newer CVSS v4.0 scoring system. Even after factoring out a high number of Linux kernel and Adobe vulnerabilities (chart below), new vulnerabilities reported in the last week were still very high. What follows are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients spanning December 9-16. The Week’s Top IT Vulnerabilities CVE-2025-59385 is a high-severity authentication bypass vulnerability affecting several versions of QNAP operating systems, including QTS and QuTS hero. Fixed versions include QTS 5.2.7.3297 build 20251024 and later, QuTS hero h5.2.7.3297 build 20251024 and later, and QuTS hero h5.3.1.3292 build 20251024 and later. CVE-2025-66430 is a critical vulnerability in Plesk 18.0, specifically affecting the Password-Protected Directories feature. It stems from improper access control, potentially allowing attackers to bypass security mechanisms and escalate privileges to root-level access on affected Plesk for Linux servers. CVE-2025-64537 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager. The vulnerability could allow attackers to inject malicious scripts into web pages, which are then executed in the context of a victim's browser, potentially leading to session hijacking, data theft, or further exploitation. CVE-2025-43529 is a critical use-after-free vulnerability in Apple's WebKit browser engine, which is used in Safari and other Apple applications. The flaw could allow attackers to execute arbitrary code on affected devices by tricking users into processing maliciously crafted web content, potentially leading to full device compromise. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-59718 is a critical authentication bypass vulnerability affecting multiple versions of Fortinet products, including FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. The flaw could allow unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) login authentication by sending a specially crafted SAML message. The vulnerability has been added to CISA’s KEV catalog. Notable vulnerabilities discussed in open-source communities included CVE-2025-55182, a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components; CVE-2025-14174, a critical memory corruption vulnerability affecting Apple's WebKit browser engine; and CVE-2025-62221, a high-severity use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Vulnerabilities Discussed on the Dark Web Cyble Research and Intelligence Labs (CRIL) researchers also observed several threat actors discussing weaponizing vulnerabilities on dark web forums. Among the vulnerabilities under discussion were: CVE-2025-55315, a critical severity vulnerability classified as HTTP request/response smuggling due to inconsistent interpretation of HTTP requests in ASP.NET Core, particularly in the Kestrel server component. The flaw arises from how chunk extensions in Transfer-Encoding: chunked requests with invalid line endings are handled differently by ASP.NET Core compared to upstream proxies, enabling attackers to smuggle malicious requests. An authorized attacker can exploit this vulnerability over a network to bypass security controls, leading to impacts such as privilege escalation, SSRF, CSRF bypass, session hijacking, or code execution, depending on the application logic. CVE-2025-59287 is a critical-severity remote code execution (RCE) vulnerability stemming from improper deserialization of untrusted data in Microsoft Windows Server Update Services (WSUS). The core flaw occurs in the ClientWebService component, where a specially crafted SOAP request to endpoints like SyncUpdates triggers decryption and unsafe deserialization of an AuthorizationCookie object using .NET's BinaryFormatter, allowing arbitrary code execution with SYSTEM privileges. Unauthenticated remote attackers can exploit this over WSUS ports (e.g., 8530/8531) to deploy webshells or achieve persistence, with real-world exploitation already observed. CVE-2025-59719, a critical severity vulnerability due to improper cryptographic signature verification, permitting authentication bypass in Fortinet FortiWeb through FortiCloud SSO. Attackers can submit crafted SAML response messages to evade login checks without proper authentication. This unauthenticated flaw has a high impact and has been actively exploited post-disclosure. ICS Vulnerabilities Cyble also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: CVE-2024-3596: multiple versions of Hitachi Energy AFS, AFR, and AFF Series products are affected by a RADIUS Protocol vulnerability, Improper Enforcement of Message Integrity During Transmission in a Communication Channel. Successful exploitation of the vulnerability could compromise the integrity of the product data and disrupt its availability. CVE-2025-13970: OpenPLC_V3 versions prior to pull request #310 are vulnerable to this Cross-Site Request Forgery (CSRF) flaw. Successful exploitation of the vulnerability could result in the alteration of PLC settings or the upload of malicious programs. Conclusion The record number of new vulnerabilities observed by Cyble in the last week underscores the need for security teams to respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. The post The Week in Vulnerabilities: More Than 2,000 New Flaws Emerge appeared first on Cyble.
Analysis Summary
This summary details the highest-profile vulnerabilities tracked by Cyble between December 9th and December 16th, noting the heightened risk environment with over 300 disclosed flaws already possessing public Proof-of-Concepts (PoCs).
# Vulnerability: QNAP OS Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-59385
- CVSS Score: High (Specific score not provided in text)
## Affected Systems
- Products: QNAP operating systems (QTS and QuTS hero)
- Versions: Several unspecified versions prior to patch releases.
- Configurations: N/A
## Vulnerability Description
A high-severity authentication bypass vulnerability affecting QNAP operating systems.
## Exploitation
- Status: PoC availability or exploitation status not specified.
- Complexity: Not specified.
- Attack Vector: Not specified.
## Impact
- Confidentiality: Not specified.
- Integrity: Not specified.
- Availability: Not specified.
## Remediation
### Patches
- QTS: 5.2.7.3297 build 20251024 and later.
- QuTS hero: h5.2.7.3297 build 20251024 and later.
- QuTS hero: h5.3.1.3292 build 20251024 and later.
### Workarounds
- None specified.
## Detection
- Not specified.
## References
- Vendor advisories: QNAP (Implied)
- Relevant links - defanged: nvd.nist.gov/vuln/detail/CVE-2025-59385
# Vulnerability: Critical Privilege Escalation in Plesk Password-Protected Directories
## CVE Details
- CVE ID: CVE-2025-66430
- CVSS Score: Critical (Specific score not provided in text)
## Affected Systems
- Products: Plesk 18.0
- Versions: Plesk 18.0 (Specifically affecting the Password-Protected Directories feature)
- Configurations: Plesk for Linux servers.
## Vulnerability Description
A critical vulnerability stemming from improper access control within Plesk's Password-Protected Directories feature. Successful exploitation allows attackers to bypass security mechanisms and escalate privileges to root-level access on Linux servers.
## Exploitation
- Status: PoC availability or exploitation status not specified.
- Complexity: Not specified.
- Attack Vector: Not specified.
## Impact
- Confidentiality: High (Root-level access).
- Integrity: High (Root-level access).
- Availability: Not specified.
## Remediation
### Patches
- Not specified.
### Workarounds
- None specified.
## Detection
- Not specified.
## References
- Vendor advisories: Plesk (Implied)
- Relevant links - defanged: nvd.nist.gov/vuln/detail/CVE-2025-66430
# Vulnerability: Adobe Experience Manager DOM-based XSS
## CVE Details
- CVE ID: CVE-2025-64537
- CVSS Score: Critical (Specific score not provided in text)
## Affected Systems
- Products: Adobe Experience Manager
- Versions: Not specified.
- Configurations: N/A
## Vulnerability Description
A critical DOM-based Cross-Site Scripting (XSS) vulnerability. Attackers can inject malicious scripts into web pages, which execute in the context of a victim's browser.
## Exploitation
- Status: PoC availability or exploitation status not specified.
- Complexity: Not specified.
- Attack Vector: Network (via crafted web content).
## Impact
- Confidentiality: Potential data theft, session hijacking.
- Integrity: Potential script execution leading to compromise.
- Availability: Not specified.
## Remediation
### Patches
- Not specified.
### Workarounds
- None specified.
## Detection
- Monitoring for unusual script injection or execution within AEM pages.
## References
- Vendor advisories: Adobe (Implied)
- Relevant links - defanged: nvd.nist.gov/vuln/detail/CVE-2025-64537
# Vulnerability: Apple WebKit Use-After-Free Leading to Code Execution
## CVE Details
- CVE ID: CVE-2025-43529
- CVSS Score: Critical (Specific score not provided in text)
## Affected Systems
- Products: Apple WebKit browser engine (used in Safari and other Apple applications)
- Versions: Not specified.
- Configurations: Requires users to process maliciously crafted web content.
## Vulnerability Description
A critical use-after-free vulnerability in Apple's WebKit browser engine. Attackers can execute arbitrary code by tricking users into processing malicious web content.
## Exploitation
- Status: Actively tracked by CISA as a Known Exploited Vulnerability (KEV).
- Complexity: Likely low, involving tricking a user.
- Attack Vector: Network (via web content).
## Impact
- Confidentiality: Potential full device compromise.
- Integrity: Potential full device compromise.
- Availability: Potential device compromise/disruption.
## Remediation
### Patches
- Not specified (Requires Apple security update).
### Workarounds
- None specified.
## Detection
- Monitoring endpoints for unauthorized code execution originating from browser processes.
## References
- Vendor advisories: Apple (Implied)
- Relevant links - defanged: nvd.nist.gov/vuln/detail/CVE-2025-43529
# Vulnerability: Critical Fortinet FortiCloud SSO Bypass
## CVE Details
- CVE ID: CVE-2025-59718 (Note: CVE-2025-59719 is also mentioned later for FortiWeb SSO bypass)
- CVSS Score: Critical (Specific score not provided in text)
## Affected Systems
- Products: Fortinet products including FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb.
- Versions: Multiple versions affected.
- Configurations: Affects FortiCloud Single Sign-On (SSO) login.
## Vulnerability Description
A critical authentication bypass vulnerability allowing unauthenticated attackers to bypass FortiCloud SSO login by sending a specially crafted SAML message.
## Exploitation
- Status: Actively tracked by CISA as a Known Exploited Vulnerability (KEV).
- Complexity: Low, due to unauthenticated nature.
- Attack Vector: Network.
## Impact
- Confidentiality: High (Authentication bypass).
- Integrity: High (Authentication bypass).
- Availability: Not specified.
## Remediation
### Patches
- Not specified (Requires vendor patch).
### Workarounds
- None specified.
## Detection
- Monitoring SAML request/response traffic for malformed or unexpected messages directed at SSO endpoints.
## References
- Vendor advisories: Fortinet (Implied)
- Relevant links - defanged: nvd.nist.gov/vuln/detail/CVE-2025-59718
# Vulnerability: Critical Unauthenticated RCE in React Server Components
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: Critical (Specific score not provided in text)
## Affected Systems
- Products: React Server Components
- Versions: Not specified.
- Configurations: N/A
## Vulnerability Description
A critical vulnerability allowing unauthenticated remote code execution (RCE).
## Exploitation
- Status: Discussed in open-source communities; PoC likely available.
- Complexity: Not specified for exploitation, but RCE implies high impact.
- Attack Vector: Network.
## Impact
- Confidentiality: High (RCE).
- Integrity: High (RCE).
- Availability: High (RCE).
## Remediation
### Patches
- Not specified (Requires React framework update).
### Workarounds
- None specified.
## Detection
- Monitoring network traffic directed at React applications for payloads characteristic of RCE attempts.
## References
- Vendor advisories: React (Implied)
- Relevant links - defanged: nvd.nist.gov/vuln/detail/CVE-2025-55182
# Vulnerability: Critical Memory Corruption in Apple WebKit
## CVE Details
- CVE ID: CVE-2025-14174
- CVSS Score: Critical (Specific score not provided in text)
## Affected Systems
- Products: Apple WebKit browser engine
- Versions: Not specified.
- Configurations: N/A
## Vulnerability Description
A critical memory corruption vulnerability affecting Apple's WebKit browser engine.
## Exploitation
- Status: Discussed in open-source communities; PoC likely available.
- Complexity: Not specified.
- Attack Vector: Network (likely via web content).
## Impact
- Confidentiality: High (Memory corruption leading to potential compromise).
- Integrity: High (Memory corruption leading to potential compromise).
- Availability: Not specified.
## Remediation
### Patches
- Not specified (Requires Apple security update).
### Workarounds
- None specified.
## Detection
- Not specified.
## References
- Vendor advisories: Apple (Implied)
- Relevant links - defanged: nvd.nist.gov/vuln/detail/CVE-2025-14174
# Vulnerability: Windows Cloud Files Mini Filter Driver UAF
## CVE Details
- CVE ID: CVE-2025-62221
- CVSS Score: High-severity (Specific score not provided in text)
## Affected Systems
- Products: Windows Cloud Files Mini Filter Driver
- Versions: Not specified.
- Configurations: Elevates privileges.
## Vulnerability Description
A high-severity Use-After-Free (UAF) vulnerability resulting in an Elevation of Privilege in the Windows Cloud Files Mini Filter Driver.
## Exploitation
- Status: Discussed in open-source communities; PoC likely available.
- Complexity: Not specified.
- Attack Vector: Local (Implied from EoP).
## Impact
- Confidentiality: Potential privilege escalation.
- Integrity: Potential privilege escalation.
- Availability: Not specified.
## Remediation
### Patches
- Not specified (Requires Microsoft security update).
### Workarounds
- None specified.
## Detection
- Monitoring driver activity for anomalous operations related to file filtering.
## References
- Vendor advisories: Microsoft (Implied)
- Relevant links - defanged: nvd.nist.gov/vuln/detail/CVE-2025-62221
# Vulnerability: ASP.NET Core HTTP Request Smuggling (Kestrel)
## CVE Details
- CVE ID: CVE-2025-55315
- CVSS Score: Critical severity (Specific score not provided in text)
## Affected Systems
- Products: ASP.NET Core (Kestrel server component)
- Versions: Not specified.
- Configurations: Affects how chunk extensions in `Transfer-Encoding: chunked` requests with invalid line endings are handled.
## Vulnerability Description
A critical HTTP request/response smuggling vulnerability. ASP.NET Core (Kestrel) interprets HTTP requests differently than upstream proxies concerning rejected chunk extensions, allowing attackers to smuggle malicious requests past boundary controls.
## Exploitation
- Status: Discussed on dark web forums; PoC likely available.
- Complexity: Medium (Requires knowledge of proxy/backend interpretation differences).
- Attack Vector: Network.
## Impact
- Confidentiality: Potential session hijacking.
- Integrity: Potential privilege escalation, CSRF bypass.
- Availability: Potential SSRF or code execution.
## Remediation
### Patches
- Not specified (Requires ASP.NET Core update).
### Workarounds
- Ensuring proxies and the Kestrel server strictly adhere to HTTP parsing standards, potentially by sanitizing or rejecting malformed `Transfer-Encoding` headers before they hit Kestrel.
## Detection
- Analyzing web traffic logs for anomalous request sequences or duplicated requests originating only on the backend server.
## References
- Vendor advisories: Microsoft (.NET) (Implied)
- Relevant links - defanged: None provided in extract.
# Vulnerability: Critical RCE in Microsoft WSUS via Deserialization
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: Critical severity (Specific score not provided in text)
## Affected Systems
- Products: Microsoft Windows Server Update Services (WSUS)
- Versions: Not specified.
- Configurations: Affects the ClientWebService component.
## Vulnerability Description
A critical, unauthenticated RCE vulnerability caused by improper deserialization of untrusted data within the WSUS ClientWebService component. A specially crafted SOAP request triggers unsafe deserialization of an `AuthorizationCookie` object using .NET's `BinaryFormatter`, leading to arbitrary code execution with SYSTEM privileges.
## Exploitation
- Status: Real-world exploitation actively observed.
- Complexity: Low (Unauthenticated network access).
- Attack Vector: Network (via WSUS ports: 8530/8531).
## Impact
- Confidentiality: SYSTEM-level RCE.
- Integrity: SYSTEM-level RCE.
- Availability: SYSTEM-level compromise.
## Remediation
### Patches
- Not specified (Requires Microsoft patch for WSUS).
### Workarounds
- Restricting network access to WSUS ports (8530/8531) strictly to necessary management IPs, if possible, until patched.
## Detection
- Monitoring WSUS ports for unusual SOAP requests or unexpected webshell deployment activity.
## References
- Vendor advisories: Microsoft (Implied)
- Relevant links - defanged: None provided in extract.
# Vulnerability: Fortinet FortiWeb FortiCloud SSO Authentication Bypass (SAML)
## CVE Details
- CVE ID: CVE-2025-59719
- CVSS Score: Critical severity (Specific score not provided in text)
## Affected Systems
- Products: Fortinet FortiWeb
- Versions: Not specified.
- Configurations: Affects FortiCloud SSO mechanism.
## Vulnerability Description
A critical flaw due to improper cryptographic signature verification, allowing authentication bypass. Attackers can submit crafted SAML response messages to evade login checks.
## Exploitation
- Status: Actively exploited post-disclosure.
- Complexity: Low (Unauthenticated network access).
- Attack Vector: Network.
## Impact
- Confidentiality: High (Authentication bypass).
- Integrity: High (Authentication bypass).
- Availability: Not specified.
## Remediation
### Patches
- Not specified (Requires Fortinet patch).
### Workarounds
- None specified.
## Detection
- Monitoring SAML response validation logs for signature failures that were nonetheless processed successfully.
## References
- Vendor advisories: Fortinet (Implied)
- Relevant links - defanged: None provided in extract.
---
## ICS Vulnerabilities
# Vulnerability: Hitachi Energy AFS/AFR/AFF RADIUS Integrity Failure
## CVE Details
- CVE ID: CVE-2024-3596
- CVSS Score: Not specified (Rated as meriting high-priority attention).
## Affected Systems
- Products: Hitachi Energy AFS, AFR, and AFF Series products.
- Versions: Multiple versions affected.
- Configurations: Affects the RADIUS Protocol implementation.
## Vulnerability Description
Improper Enforcement of Message Integrity During Transmission in a Communication Channel (RADIUS protocol vulnerability). Successful exploitation could compromise data integrity or disrupt product availability.
## Exploitation
- Status: Not specified.
- Complexity: Not specified.
- Attack Vector: Network (over communication channel).
## Impact
- Confidentiality: Not specified.
- Integrity: Compromise of product data integrity.
- Availability: Potential disruption.
## Remediation
### Patches
- Not specified (Requires Hitachi Energy security update).
### Workarounds
- None specified.
## Detection
- Monitoring network traffic for unusual RADIUS message structures or integrity check failures.
## References
- Vendor advisories: Hitachi Energy (Implied)
# Vulnerability: OpenPLC_V3 Cross-Site Request Forgery
## CVE Details
- CVE ID: CVE-2025-13970
- CVSS Score: Not specified (Rated as meriting high-priority attention).
## Affected Systems
- Products: OpenPLC_V3
- Versions: Prior to pull request #310.
- Configurations: N/A
## Vulnerability Description
A Cross-Site Request Forgery (CSRF) flaw. Successful exploitation could result in the alteration of PLC settings or the upload of malicious programs.
## Exploitation
- Status: Not specified.
- Complexity: Not specified.
- Attack Vector: Network (Requires user interaction in a browser context relative to the PLC interface).
## Impact
- Confidentiality: Not specified.
- Integrity: Alteration of PLC settings or upload of malicious programs.
- Availability: Not specified.
## Remediation
### Patches
- Apply updates incorporating pull request #310 or later for OpenPLC_V3.
### Workarounds
- None specified.
## Detection
- Monitoring PLC configuration change requests for unauthorized sources.
## References
- Vendor advisories: OpenPLC (Implied)