Full Report
Cyble Vulnerability Intelligence researchers tracked 1,093 vulnerabilities in the last week, and well over 200 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. A total of 83 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 28 received a critical severity rating based on the newer CVSS v4.0 scoring system. Here are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers for prioritization by security teams, including some that have been used in ransomware attacks. The Week’s Top Vulnerabilities CVE-2026-25253, a critical vulnerability in the OpenClaw open-source AI personal assistant (also known as clawdbot or Moltbot), has been getting attention both from the security community and threat actors in underground forums. In versions before 2026.1.29, the application obtains a gatewayUrl from a query string and automatically connects via WebSocket without user confirmation, potentially leaking the sensitive auth token to attacker-controlled servers. This could enable unauthorized access to the victim's OpenClaw instance. CVE-2025-40554 is another vulnerability observed by Cyble to be under discussion by threat actors on the dark web. The critical authentication bypass vulnerability in SolarWinds Web Help Desk could allow unauthenticated remote attackers to exploit a weak authentication mechanism to invoke privileged actions and methods without credentials, over the network with low complexity and no user interaction. CISA added another SolarWinds Web Help Desk vulnerability, CVE-2025-40551, to its Known Exploited Vulnerabilities (KEV) catalog. The critical untrusted data deserialization vulnerability in SolarWinds Web Help Desk could allow unauthenticated remote attackers to send crafted requests over the network, triggering remote code execution (RCE) and enabling arbitrary command execution on the host machine with full system privileges. Another vulnerability added to the CISA KEV catalog was CVE-2026-1281, a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that could allow unauthenticated remote code execution (RCE) via improper input sanitization, where attackers could send crafted requests to execute arbitrary code without privileges or user interaction. Other vulnerabilities added to the KEV catalog included CVE-2021-39935, a high-severity Server-Side Request Forgery (SSRF) vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), and CVE-2025-11953, a React Native Community CLI OS Command Injection vulnerability. CVE-2025-8088, a path traversal vulnerability in WinRAR, has been generating discussion in open-source communities. Multiple threat actors, including nation-state adversaries and financially motivated groups, have reportedly been exploiting the flaw to establish initial access and deploy a diverse array of payloads. CVE-2025-22225, a high-severity arbitrary write vulnerability in VMware ESXi hypervisors and related products like Cloud Foundation and Telco Cloud Infrastructure, has also generated significant discussion and was recently determined by CISA to be exploited by ransomware groups (see next section below). Vulnerabilities Used in Ransomware Attacks So far this year, CISA has changed the status of six KEV catalog vulnerabilities to reflect evidence of exploitation by ransomware groups. The six vulnerabilities include: CVE-2026-24423, a SmarterTools SmarterMail Missing Authentication for Critical Function vulnerability CVE-2025-22225, a VMware ESXi Arbitrary Write vulnerability CVE-2024-30088, a Microsoft Windows Kernel TOCTOU Race Condition vulnerability CVE-2024-9680, a Mozilla Firefox Use-After-Free vulnerability CVE-2024-51567, a CyberPanel Incorrect Default Permissions vulnerability CVE-2024-49039, a Microsoft Windows Task Scheduler Privilege Escalation vulnerability Critical ICS Vulnerabilities Cyble flagged the following industrial control system (ICS) vulnerabilities for prioritization by security teams in recent reports to clients. CVE-2026-1632 is a critical vulnerability in RISS SRL's MOMA Seismic Station software. The flaw involves the web management interface being exposed without authentication, potentially enabling unauthenticated attackers to modify configurations, access seismic data, or reset the device remotely over the network. CVE-2025-26385 is a maximum-severity Johnson Controls Metasys systems command-injection vulnerability. The flaw enables unauthenticated remote SQL injection, potentially allowing attackers to compromise building management systems that control HVAC, lighting, security, and life-safety functions across multiple critical infrastructure sectors. CVE-2025-40805 is a maximum-severity Authorization Bypass vulnerability affecting Siemens Industrial Edge Devices, HMI Panels, and IPC devices. CVE-2025-10492 is a Java deserialization vulnerability in the Jaspersoft Library that affects Hitachi Energy Asset Suite versions 9.7 and earlier. Conclusion In the face of significant threats to IT and ICS environments, security teams must focus on defenses that protect their most critical assets and build resilience to prepare for any incidents that do occur. Cybersecurity best practices that can help include: Prioritizing vulnerabilities based on risk. Protecting web-facing assets. Segmenting networks and critical assets. Hardening endpoints and infrastructure. Strong access controls, allowing no more access than is required, with frequent verification. A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks. Encryption of data at rest and in transit. Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. Honeypots that lure attackers to fake assets for early breach detection. Proper configuration of APIs and cloud service connections. Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools. Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Additionally, Cyble’s third-party risk intelligence can help organizations carefully vet partners and suppliers, providing an early warning of potential risks. The post The Week in Vulnerabilities: SolarWinds, AI Fixes Urged by Cyble appeared first on Cyble.
Analysis Summary
As a vulnerability research specialist, here is the summarized, actionable intelligence extracted from the provided report context:
---
# Critical Vulnerability Summary Report (Weekly Track)
Overall Context: 1,093 new vulnerabilities tracked last week; over 200 have public PoCs. 83 rated Critical (CVSS v3.1), 28 rated Critical (CVSS v4.0). Several highlighted vulnerabilities show active tracking by threat actors or inclusion in CISA KEV.
## **Highest Priority Vulnerabilities (Active Interest/Inclusion)**
### Vulnerability: OpenClaw AI Assistant Token Leak
## CVE Details
- CVE ID: CVE-2026-25253
- CVSS Score: Critical (Severity mentioned, specific score not provided)
- CWE: N/A (Likely related to Improper Input Validation/Improper Neutralization)
## Affected Systems
- Products: OpenClaw open-source AI personal assistant (clawdbot or Moltbot)
- Versions: Before 2026.1.29
- Configurations: Any instance configured to receive user input handling the `gatewayUrl` query string.
## Vulnerability Description
The application automatically connects via WebSocket upon obtaining a `gatewayUrl` from a query string without requiring user confirmation. This allows an attacker to supply a malicious URL, leading to the leakage of the sensitive authentication token to an attacker-controlled server, enabling unauthorized session access.
## Exploitation
- Status: Receiving attention from security communities and threat actors on underground forums.
- Complexity: Likely Low (Automated network connection).
- Attack Vector: Network
## Impact
- Confidentiality: High (Auth token leakage).
- Integrity: Medium/High (Unauthorized access to the instance).
- Availability: Low
## Remediation
### Patches
- Fix is likely in OpenClaw version 2026.1.29 or later. (Target version: >= 2026.1.29)
### Workarounds
- Investigate all inbound requests containing a `gatewayUrl` query string.
- Restrict access to the OpenClaw instance endpoints.
## Detection
- Monitor WebSocket connection establishment attempts sourced from user-supplied or external input parameters.
- Monitor for exfiltration of authentication tokens.
## References
- Vendor Advisory: N/A (Open-source project focus)
---
### Vulnerability: SolarWinds Web Help Desk Unauthenticated Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-40554
- CVSS Score: Critical (Severity mentioned, specific score not provided)
- CWE: Weak Authentication Mechanism
## Affected Systems
- Products: SolarWinds Web Help Desk
- Versions: Not specified, but pre-patch.
- Configurations: Network-accessible deployment.
## Vulnerability Description
A critical authentication bypass flaw exists due to a weak authentication mechanism. Unauthenticated remote attackers can exploit this flaw to invoke privileged actions and methods without needing valid credentials.
## Exploitation
- Status: Observed under discussion by threat actors on the dark web.
- Complexity: Low (Low complexity, no user interaction required).
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High (Privileged actions possible).
- Availability: High
## Remediation
### Patches
- Upgrade SolarWinds Web Help Desk. (Specific patch information not provided in detail.)
### Workarounds
- Severely restrict network access to the Web Help Desk interface, ideally limiting access to only trusted internal networks or specific management jumpservers.
## Detection
- Monitor for privileged actions or configuration changes originating from unauthenticated sessions against the Web Help Desk service.
## References
- NVD: [NVD Link for CVE-2025-40554] (Defanged: nvd dot nist dot gov/vuln/detail/CVE-2025-40554)
---
### Vulnerability: SolarWinds Web Help Desk Remote Code Execution (RCE)
## CVE Details
- CVE ID: CVE-2025-40551
- CVSS Score: Critical (Severity mentioned, specific score not provided)
- CWE: Untrusted Data Deserialization
## Affected Systems
- Products: SolarWinds Web Help Desk
- Versions: Not specified, but pre-patch.
- Configurations: Network-accessible deployment.
## Vulnerability Description
An untrusted data deserialization vulnerability allows unauthenticated remote attackers to send specially crafted requests over the network. This can trigger Remote Code Execution (RCE), leading to arbitrary command execution with full system privileges on the host machine.
## Exploitation
- Status: Added to CISA Known Exploited Vulnerabilities (KEV) Catalog. **Active exploitation confirmed.**
- Complexity: Low (Network-based, unauthenticated).
- Attack Vector: Network
## Impact
- Confidentiality: High (Full system access).
- Integrity: High (Arbitrary command execution).
- Availability: High
## Remediation
### Patches
- Apply the official patch released by SolarWinds for CVE-2025-40551.
### Workarounds
- Isolate the affected server segment.
- Implement strict WAF rules to inspect and potentially block serialized object data destined for the application layer.
## Detection
- Monitor for unusual processes spawned by the Web Help Desk service account.
- Look for network connections originating from the host to external/unusual destinations post-request.
## References
- CISA KEV: Refer to CISA KEV catalog entry for CVE-2025-40551.
- NVD: [NVD Link for CVE-2025-40551] (Defanged: nvd dot nist dot gov/vuln/detail/CVE-2025-40551)
---
### Vulnerability: Ivanti EPMM Unauthenticated RCE
## CVE Details
- CVE ID: CVE-2026-1281
- CVSS Score: Critical (Severity mentioned, specific score not provided)
- CWE: Improper Input Sanitization (Leading to Code Injection)
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM)
- Versions: Not specified, but pre-patch.
- Configurations: Network-accessible deployment.
## Vulnerability Description
A critical code injection vulnerability resulting from improper input sanitization. Unauthenticated remote attackers can send crafted network requests to execute arbitrary code on the host without requiring privileges or user interaction.
## Exploitation
- Status: Added to CISA Known Exploited Vulnerabilities (KEV) Catalog. **Active exploitation confirmed.**
- Complexity: Low.
- Attack Vector: Network
## Impact
- Confidentiality: High (RCE allows data access).
- Integrity: High (Arbitrary code execution).
- Availability: High
## Remediation
### Patches
- Apply the security update for Ivanti EPMM addressing CVE-2026-1281.
### Workarounds
- Block all inbound traffic to the Ivanti EPMM management console unless strictly necessary for business operations.
## Detection
- Monitor EPMM logs for command injection payloads or unusual shell command execution attempts associated with inbound application traffic.
## References
- CISA KEV: Refer to CISA KEV catalog entry for CVE-2026-1281.
- NVD: [NVD Link for CVE-2026-1281] (Defanged: nvd dot nist dot gov/vuln/detail/CVE-2026-1281)
---
### Vulnerability: WinRAR Path Traversal Exploitation
## CVE Details
- CVE ID: CVE-2025-8088
- CVSS Score: Not provided (Severity discussed as exploitable)
- CWE: Path Traversal
## Affected Systems
- Products: WinRAR
- Versions: Not specified, but pre-patch.
## Vulnerability Description
A path traversal vulnerability within WinRAR allows attackers to escape constrained directories during archive operations.
## Exploitation
- Status: Actively exploited in the wild by sophisticated threat actors, including nation-states and financially motivated groups, for initial access and payload deployment.
- Complexity: Low/Medium (Requires user interaction via file opening).
- Attack Vector: Typically initial access via malicious archive.
## Impact
- Confidentiality: High
- Integrity: High
- Availability: Medium
## Remediation
### Patches
- Update WinRAR immediately.
### Workarounds
- Educate users strictly about not opening archives from untrusted sources.
## Detection
- Monitor endpoint anomalous file creation/modification activities following the opening of compressed archives.
## References
- NVD: [NVD Link for CVE-2025-8088] (Defanged: nvd dot nist dot gov/vuln/detail/CVE-2025-8088)
---
### Vulnerability: VMware ESXi Arbitrary Write (Ransomware Focus)
## CVE Details
- CVE ID: CVE-2025-22225
- CVSS Score: High Severity (Severity mentioned, specific score not provided)
- CWE: Arbitrary Write
## Affected Systems
- Products: VMware ESXi, Cloud Foundation, Telco Cloud Infrastructure
- Versions: Related to versions 9.7 and earlier for related libraries.
- Configurations: Hypervisor environments.
## Vulnerability Description
An arbitrary write vulnerability impacting the ESXi hypervisor. This allows for write primitives within the system memory space.
## Exploitation
- Status: Confirmed by CISA to be actively exploited by ransomware groups for initial intrusion.
- Complexity: High (Requires hypervisor interaction).
- Attack Vector: Network/Local (depending on specific variant).
## Impact
- Confidentiality: High
- Integrity: High (Full control over guest OS availability/integrity)
- Availability: High
## Remediation
### Patches
- Apply the necessary VMware security updates for the affected ESXi versions.
### Workarounds
- Network segmentation isolating ESXi management interfaces (vCenter/ESXi hosts) from the general user network.
- Enforcing strong access controls on hypervisor management planes.
## Detection
- Monitor for unexpected memory modification patterns or process crashes originating from the hypervisor kernel layer.
## References
- CISA KEV: This CVE is among the six KEVs recently tied to ransomware exploitation.
---
## **ICS Critical Vulnerabilities for Prioritization**
### Vulnerability: RISS SRL MOMA Seismic Station Unauthenticated Access
## CVE Details
- CVE ID: CVE-2026-1632
- CVSS Score: Critical (Maximum severity flagged)
## Affected Systems
- Products: RISS SRL MOMA Seismic Station software
- Versions: Not specified.
- Configurations: Systems exposing the web management interface over the network.
## Vulnerability Description
The web management interface lacks authentication entirely, enabling unauthenticated remote attackers to connect over the network and perform full device administration, including configuration modification, data access, and remote resets.
## Exploitation
- Status: Flagged for prioritization. Assumed accessible if exposed.
- Complexity: Low (Direct network access required).
- Attack Vector: Network
## Impact
- Confidentiality: High (Seismic data access).
- Integrity: High (Configuration modification).
- Availability: High (Remote device reset).
## Remediation
### Patches
- Contact RISS SRL for patch availability.
### Workarounds
- **CRITICAL:** Immediately isolate the MOMA Seismic Station web interface from untrusted networks (internet/corporate networks). Access should be via local, trusted circuits only.
## Detection
- Monitor network perimeter/firewalls for any unauthorized inbound HTTPS/HTTP traffic targeting this ICS device.
## References
- Vendor Advisory: Contact RISS SRL.
---
### Vulnerability: Johnson Controls Metasys Command Injection (SQLi)
## CVE Details
- CVE ID: CVE-2025-26385
- CVSS Score: Maximum Severity
## Affected Systems
- Products: Johnson Controls Metasys systems
- Versions: Not specified.
## Vulnerability Description
Unauthenticated remote attackers can inject SQL commands via the system's web interface, leading to successful database compromise (SQL Injection). This impacts critical building management systems controlling HVAC, lighting, and life-safety functions.
## Exploitation
- Status: Flagged for prioritization.
- Complexity: Medium/High (Requires knowledge of SQL syntax, but unauthenticated).
- Attack Vector: Network
## Impact
- Confidentiality: High (Database data exposure/theft).
- Integrity: Critical (Manipulation of physical controls).
- Availability: High (Disruption of critical building services).
## Remediation
### Patches
- Apply Johnson Controls updates for Metasys addressing CVE-2025-26385.
### Workarounds
- Implement input validation and parameterization on all Metasys web entry points.
- Place Metasys network segments behind deep-packet inspection firewalls capable of basic SQL injection pattern matching.
## Detection
- Active SQL statement monitoring on the database layer connected to the Metasys server.
## References
- Vendor Advisory: Contact Johnson Controls.
---
## **General Security Recommendations (Based on Report Conclusion)**
1. **Risk Prioritization:** Use risk scoring (CVSS, threat intelligence) to prioritize fixes.
2. **Asset Protection:** Focus patching efforts on external-facing assets first.
3. **Network Hardening:** Implement network segmentation to isolate critical IT and ICS assets.
4. **Access Control:** Enforce strong Zero Trust principles: least privilege and frequent verification.
5. **Authentication:** Mandate MFA and utilize machine health checks for device authentication.
6. **Data Protection:** Ensure encryption for data currently in use and at rest.
7. **Ransomware Resilience:** Implement immutable, air-gapped, and isolated backups.
8. **Proactive Defense:** Deploy honeypots for early breach detection.
9. **Configuration Management:** Securely configure APIs and cloud connections.
10. **Monitoring:** Enhance SIEM, AD, Endpoint Security, and DLP logging to detect anomalous activity.
11. **Verification:** Routinely audit and confirm control efficacy via vulnerability scanning and pen testing.