The latest weekly vulnerability Insights report to clients by Cyble provides a detailed view of vulnerabilities tracked between April 15, 2026, and April 21, 2026. The findings highlight a slight dip in overall disclosures compared to the previous week, but the persistence of active exploitation and evidence of real-world attacks continues to target enterprise, cloud, and open-source ecosystems. 

During this reporting period, Cyble’s Vulnerability Intelligence module tracked 1,095 vulnerabilities, reflecting a decrease in volume after last week’s spike. However, the reduced number does not indicate lower risk. In fact, the presence of over 91 vulnerabilities with publicly available Proof-of-Concept (PoC) exploits increases the likelihood of rapid weaponization and exploitation in real-world environments. 

Additionally, Cyble observed 2 vulnerabilities actively discussed in underground forums, reinforcing that threat actors continue to prioritize high-impact flaws and accelerate their use in real-world attacks. 

Real-World Attacks and Threat Intelligence Observations 

As part of its weekly vulnerability Insights, CRIL leveraged its Threat Hunting capabilities to capture real-time attack data using distributed honeypot sensors. These systems recorded multiple instances of: 

• Exploit attempts  

• Malware intrusions  

• Financial fraud campaigns  

• Brute-force attacks  

The Sensor Intelligence data further revealed targeted campaigns involving malware families such as: 

• CoinMiner Linux  

• WannaCry  

• Linux Mirai Coin Miner  

• Linux IRCBot  

• Android Coin Hive Miner  

In addition to malware activity, phishing emails and brute-force attempts were also observed, demonstrating the breadth of real-world attacks targeting both users and infrastructure. 

The report also provides deeper visibility into attacker behavior, including: 

• Top targeted countries  

• Frequently abused ports  

• Source IP intelligence  

• Network operator attribution  

These insights reinforce how active exploitation is not limited to isolated vulnerabilities but is part of coordinated attack campaigns. 

Weekly Vulnerability Disclosure Overview 

Analysis of the weekly vulnerability Insights reveals several important patterns in vendor exposure and severity distribution. 

Top Vendors Impacted 

The highest number of reported vulnerabilities was associated with: 

• Oracle  

• Mozilla  

• Google  

• Dell  

• FreeScout Help Desk  

This distribution highlights how both enterprise-grade platforms and open-source tools remain attractive targets for adversaries. 

Severity Breakdown 

• 96 vulnerabilities were rated critical under CVSS v3.1  

• 43 vulnerabilities were rated critical under CVSS v4.0  

Key Vulnerabilities Driving Real-World Attacks 

Several critical vulnerabilities stood out due to their potential for exploitation: 

• CVE-2026-5921: A flaw in GitHub Enterprise Server involving Server-Side Request Forgery (SSRF) and a timing side-channel attack  

• CVE-2026-6388: A critical issue in Argo CD Image Updater, widely used in Kubernetes environments  

• CVE-2026-34287: A vulnerability in Oracle Identity Manager (OIM) Connector  

• CVE-2026-6771: A flaw in Mozilla Firefox and Thunderbird DOM security  

These vulnerabilities are particularly dangerous because they target trusted development and identity systems, allowing attackers to: 

• Execute arbitrary code  

• Steal credentials  

• Compromise entire servers  

Such weaknesses directly contribute to real-world attacks, as they enable adversaries to infiltrate core enterprise workflows with minimal resistance. 

CISA KEV Catalog: Evidence of Active Exploitation 

Between April 15 and April 21, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added 9 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. 

Notable KEV Additions 

• CVE-2023-27351 (PaperCut MF/NG): This vulnerability allows unauthenticated remote code execution with SYSTEM privileges. It has been widely exploited by ransomware groups such as Clop and LockBit.  

• CVE-2025-48700 (Zimbra Collaboration Suite): A Cross-Site Scripting (XSS) flaw that can be leveraged for session hijacking and data theft.  

• CVE-2026-20133 (Cisco Catalyst SD-WAN Manager): An information disclosure vulnerability exposing sensitive network data.  

As of April 2026, CISA has added 23 vulnerabilities to the KEV catalog, further emphasizing the scale of active exploitation across industries. 

Trending Vulnerabilities and Resurgence of Real-World Attacks 

Among the most notable cases in this week’s weekly vulnerability Insights is the resurgence of older vulnerabilities being reused in new campaigns. 

CVE-2024-3721 (TBK DVR Devices) 

A critical OS command injection flaw affecting TBK Digital Video Recorders has re-emerged due to a new Mirai-based botnet variant called “Nexcorium.” 

This botnet is actively scanning for vulnerable DVR models (DVR-4104 and DVR-4216) to recruit them into a distributed denial-of-service (DDoS) network. Its inclusion in the KEV catalog confirms ongoing active exploitation and highlights how legacy devices continue to fuel real-world attacks. 

CVE-2025-0520 (ShowDoc) 

A remote code execution vulnerability allows attackers to upload malicious PHP files to publicly accessible directories. Once uploaded, these files can be executed to gain control over the server. 

This simple yet effective attack vector has made ShowDoc a frequent target in real-world attacks. 

Underground Activity and Exploit Development 

CRIL’s monitoring of underground forums revealed continued interest in weaponizing vulnerabilities for active exploitation. 

Notable Vulnerabilities Discussed 

• CVE-2026-33825 (Microsoft Defender): A privilege escalation flaw linked to the “BlueHammer” exploit family, allowing attackers to gain SYSTEM-level access and extract sensitive data such as NTLM hashes.  

• CVE-2025-8941 (Linux-PAM): A path traversal vulnerability enabling privilege escalation through symlink attacks.  

• CVE-2026-38526 (Krayin CRM): An authenticated file upload vulnerability leading to remote code execution.  

• CVE-2026-26980 (Ghost CMS): A SQL injection flaw allowing unauthorized database access and data exfiltration.  

The timeline analysis shows rapid transitions from disclosure to exploit availability, reinforcing the speed at which real-world attacks can materialize. 

Persistent Risk Despite Lower Volume 

This week’s vulnerability Insights show that even with fewer disclosures, the risk of active exploitation and real-world attacks remains significant. With 91+ PoC-backed vulnerabilities, new KEV additions, and ongoing underground activity, attackers continue to move quickly from discovery to exploitation. In this environment, organizations need proactive, intelligence-driven defenses.  

Cyble’s AI-powered threat intelligence platform provides real-time visibility, predictive insights, and automated security operations to help teams stay ahead of evolving threats. Organizations can explore these capabilities further by scheduling a demo with Cyble. 

The post The Week in Vulnerabilities: GitHub Enterprise, Argo CD, Oracle Identity Manager, and Mozilla Security Flaws appeared first on Cyble.

We always think we are more vulnerable than our fellow contemporaries! In general sense, this shows lack of confidence, but when you are dealing with security, this is one of the best traits you can have! Sounds strange, right! Let’s be honest, most security teams aren’t short on vulnerability data. They’re drowning in it. Scan […]

The post How AutoSecT Uses AI to Find Vulnerabilities That Actually Matter appeared first on Kratikal Blogs.

The post How AutoSecT Uses AI to Find Vulnerabilities That Actually Matter appeared first on Security Boulevard.

The post CoreDNS Security Alert: Multiple High-Severity Vulnerabilities Patched in Version 1.14.3 appeared first on Daily CyberSecurity.

The post SonicWall Issues Fixes for SonicOS Vulnerabilities appeared first on Daily CyberSecurity.

Cyble Research & Intelligence Labs (CRIL) weekly vulnerability report tracked 1,675 vulnerabilities, last week, reflecting continued high disclosure volume across enterprise software, cloud services, and emerging AI ecosystems.

Of these, more than 205 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of exploitation and shortening attacker weaponization timelines.

Additionally, 2 vulnerabilities were actively discussed across underground forums and hidden communities, demonstrating continued adversarial focus on high-impact enterprise targets.

A total of 111 vulnerabilities were rated critical under CVSS v3.1, while 34 received critical severity under CVSS v4.0, underscoring the seriousness of newly disclosed issues.

Furthermore, CISA added 10 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial side, CISA issued 3 ICS advisories covering 4 vulnerabilities, impacting Mitsubishi Electric, Contemporary Controls, Sedona Alliance, and GPL Odorizers.

Weekly Vulnerability Report’s Top Flaws

CVE-2026-32201 — Microsoft SharePoint Server (Critical)

CVE-2026-32201 is an actively exploited vulnerability affecting Microsoft SharePoint Server and was included in April 2026 Patch Tuesday disclosures.

Successful exploitation could allow attackers to compromise collaboration environments, access sensitive enterprise content, and establish persistent footholds inside corporate networks.

CVE-2026-21643 — Fortinet FortiClient EMS (Critical)

CVE-2026-21643 is a critical vulnerability affecting Fortinet FortiClient Endpoint Management Server (EMS).

Because EMS platforms centrally manage endpoints, successful exploitation can enable attackers to disrupt security operations, deploy malicious configurations, and gain broad enterprise access.

CVE-2026-35652 — OpenClaw AI Agent Framework (High)

CVE-2026-35652 is a high-severity authorization bypass vulnerability in OpenClaw, an open-source autonomous AI agent framework.

The flaw allows unauthorized external parties to manipulate the AI agent into executing restricted actions without proper authentication, creating risk of workflow abuse, credential exposure, and downstream compromise.

CVE-2026-27304 — Adobe ColdFusion (Critical)

CVE-2026-27304 is a critical improper input validation vulnerability in Adobe ColdFusion.

Attackers can exploit vulnerable web application environments to execute malicious actions, compromise servers, and move laterally through connected systems.

CVE-2026-29145 — Microsoft 365 Outlook Desktop Client (Critical)

CVE-2026-29145 affects Microsoft 365, specifically the Outlook desktop client.

Given Outlook’s role in enterprise communications, exploitation may enable phishing enhancement, malicious payload execution, or unauthorized access to user data.

Trending Exploitation Activity

CVE-2025-0520 — ShowDoc (Critical)

A remote code execution vulnerability in ShowDoc, a popular open-source IT documentation platform, saw a sharp rise in exploitation during April 2026. Attackers are reportedly targeting unpatched servers to deploy web shells and seize control of documentation environments.

CVE-2025-59528 — Flowise (Critical)

A remote code execution flaw in Flowise, a low-code platform for building AI agents and LLM workflows, has been linked to large-scale exploitation targeting more than 12,000 internet-exposed instances.

These cases reinforce the rapid expansion of the AI and developer tooling attack surface.

Vulnerabilities Added to CISA KEV

CISA expanded its KEV catalog with 10 newly listed vulnerabilities this week.

Notable additions include:

• CVE-2026-32201 — Microsoft SharePoint Server
• CVE-2026-21643 — Fortinet FortiClient EMS
• CVE-2026-1340 — Ivanti Endpoint Manager Mobile (EPMM)

The inclusion of collaboration tools, endpoint management systems, and mobile management platforms shows attackers are prioritizing centralized enterprise control layers.

Critical ICS Vulnerabilities

CISA issued 3 ICS advisories covering 4 vulnerabilities, with the majority falling into the high-severity category.

CVE-2025-13926 — Contemporary Controls BASControl20 (Critical)

This vulnerability affects a building automation controller widely deployed across energy facilities, manufacturing plants, and commercial buildings. With a CVSS score of 9.8 and no patch available because the product is obsolete, organizations face limited remediation options beyond replacement or network isolation.

Successful exploitation could allow attackers to manipulate physical systems, disrupt operations, or pivot deeper into OT networks.

CVE-2025-14815 / CVE-2025-14816 — Mitsubishi Electric Platforms (High)

These vulnerabilities expose sensitive configuration and authentication data in plaintext across multiple Mitsubishi Electric products.

An attacker with minimal access could harvest credentials and escalate privileges rapidly, broadening the impact of an initial compromise.

CVE-2026-4436 — GPL Odorizers (High)

A missing authentication flaw in GPL Odorizers could allow unauthorized access to critical functions in systems used within industrial environments.

Impacted Critical Infrastructure Sectors

Analysis of ICS disclosures shows:

• Critical Manufacturing was impacted in all reported cases
• Additional cross-sector exposure affected:
  • Commercial Facilities
  • Energy

This concentration highlights how industrial vulnerabilities can create cascading operational risk across interconnected sectors.

Conclusion

This week’s findings highlight several major trends:

• Continued high-volume vulnerability disclosures
• Active exploitation confirmed through KEV additions
• Rising attacks against AI frameworks and developer tooling
• Persistent weaknesses in industrial control environments
• Increased focus on centralized enterprise management systems

With 205+ public PoCs, active underground interest, and exploitable OT exposures, organizations face heightened risk across both IT and operational technology environments.

Key Recommendations

• Prioritize remediation of KEV-listed vulnerabilities immediately
• Patch externally exposed enterprise systems and collaboration platforms
• Secure AI agents, automation tools, and developer workflows
• Harden endpoint and mobile device management infrastructure
• Segment IT and OT environments to reduce lateral movement
• Replace or isolate obsolete industrial devices lacking patches
• Continuously monitor underground forums and threat intelligence feeds
• Conduct regular vulnerability assessments and penetration testing

---

Cyble’s attack surface management and vulnerability intelligence solutions help organizations identify exposed assets, prioritize remediation, and detect early indicators of compromise. By combining threat intelligence with proactive defense strategies, organizations can strengthen resilience across enterprise and critical infrastructure environments.

The post The Week in Vulnerabilities: SharePoint, Fortinet, OpenClaw, and GPL Odorizers appeared first on Cyble.

The post The Great Linux Purge: Why the Kernel is Dumping 27,000 Lines of Code to Stop the AI Vulnerability Deluge appeared first on Daily CyberSecurity.

More than 1,300 internet-exposed SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft says was exploited as a zero-day.

The post Microsoft Patch Still Leaves 1,300 SharePoint Servers Exposed appeared first on TechRepublic.

Mozilla says Firefox 150 patches 271 vulnerabilities found with Anthropic’s restricted Mythos AI, highlighting how quickly AI-driven bug hunting is accelerating.

The post Mozilla Fixes 271 Firefox Bugs Using Anthropic’s Mythos AI appeared first on TechRepublic.

Over the past 6-8 months, researchers at my company discovered vulnerabilities across multiple AI tools that allowed external bad actors to steal data, exploit AI browsers, or poison the core memories of AI systems. As we responsibly disclosed these flaws, we found that AI vendors almost universally told us, “It’s not our problem.” In their..

The post We Need a Shared Responsibility Model for AI appeared first on Security Boulevard.

Under a new model announced by the National Institute of Standards and Technology, NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical.

The post National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges appeared first on Flashpoint.

The post National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges appeared first on Security Boulevard.

Cyble Research & Intelligence Labs (CRIL) in its weekly vulnerability report tracked 1,431 bugs last week.

Of these, over 270 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly accelerating exploitation timelines and increasing real-world attack likelihood.

Additionally, 3 vulnerabilities were actively discussed across underground forums, signaling strong adversarial interest and rapid weaponization.

A total of 130 vulnerabilities were rated critical under CVSS v3.1, while 45 were rated critical under CVSS v4.0, reflecting the severity of disclosed issues.

Furthermore, CISA added 3 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial front, CISA issued 5 ICS advisories covering 6 vulnerabilities, impacting vendors such as Siemens, Hitachi Energy, and Yokogawa.

Weekly Vulnerability Report’s Top 5 Vulnerabilities

CVE-2026-32213 — Microsoft Azure AI Foundry (Critical)

CVE-2026-32213 is a critical authorization bypass vulnerability in Microsoft Azure AI Foundry.

The flaw exists in the platform’s authorization logic, allowing unauthenticated attackers to bypass security checks and grant themselves administrative privileges. Successful exploitation enables full control over AI environments and associated resources.

CVE-2026-35022 — Claude Code CLI / Agent SDK (Critical)

CVE-2026-35022 is a critical OS command injection vulnerability affecting Anthropic’s Claude Code CLI and Agent SDK.

The vulnerability allows attackers to inject malicious commands into development workflows, resulting in remote code execution and potential compromise of AI pipelines.

CVE-2026-22738 — Spring AI (Critical)

CVE-2026-22738 is a remote code execution vulnerability in Spring AI caused by improper input sanitization in expression evaluation.

Attackers can inject malicious expressions that are executed by the Spring Expression Language, leading to complete application and server compromise.

CVE-2026-4631 — Cockpit (Critical)

CVE-2026-4631 is an unauthenticated remote code execution vulnerability in Cockpit, a web-based Linux server management interface.

The flaw allows attackers to execute arbitrary commands without authentication, potentially leading to full system takeover in enterprise environments.

CVE-2026-35616 — Fortinet FortiClient EMS (Critical)

CVE-2026-35616 is a critical authentication bypass vulnerability in Fortinet FortiClient EMS.

Attackers can bypass authentication and execute arbitrary commands, leading to complete compromise of endpoint management systems.

Vulnerabilities Added to CISA KEV

CISA continues to expand its KEV catalog, reflecting real-world exploitation trends.

Notable addition:

CVE-2026-35616 — Fortinet FortiClient EMS
This vulnerability enables authentication bypass and remote command execution, making it a high-priority remediation target.

The inclusion of enterprise security tools in KEV highlights attackers’ focus on compromising centralized management systems.

Critical ICS Vulnerabilities

CISA issued 5 ICS advisories covering 6 vulnerabilities, many of which impact critical infrastructure environments.

CVE-2026-1579 — PX4 Autopilot (Critical)

A missing authentication vulnerability allowing attackers to execute critical functions without credentials.

This flaw poses risks to autonomous and unmanned systems, potentially enabling unauthorized control.

CVE-2026-3356 — Anritsu Systems (Critical)

This vulnerability involves missing authentication in Anritsu devices, allowing attackers to gain unauthorized access.

CVE-2025-10492 — Hitachi Energy Ellipse (Critical)

A deserialization vulnerability enabling attackers to execute arbitrary code within industrial systems.

Siemens SICAM 8 (Chained Risk)

Two vulnerabilities affecting Siemens SICAM 8 systems—resource exhaustion and out-of-bounds write—can be chained together.

This creates a denial-of-service risk capable of disrupting industrial processes and operational visibility.

CVE-2025-7741 — Yokogawa CENTUM VP (Medium)

A hard-coded password vulnerability that weakens authentication mechanisms and increases risk of unauthorized access.

Critical Infrastructure Sectors Spotlight

Analysis indicates:

• Critical Manufacturing appears in 66.7% of vulnerabilities
• Cross-sector exposure spans:
  • Transportation Systems
  • Emergency Services
  • Defense Industrial Base
  • Communications

This highlights interconnected infrastructure risks, where a single vulnerability can cascade across multiple sectors.

Conclusion

This week’s findings highlight several critical trends:

• Expansion of vulnerabilities into AI and development ecosystems
• Increasing exploitation of enterprise management platforms
• Continued weaknesses in industrial control systems
• Cross-sector risk amplification in critical infrastructure

With 270+ PoCs, KEV-confirmed exploitation, and emerging threats in AI frameworks, organizations face heightened risk across both digital and physical environments.

Key Recommendations

• Prioritize vulnerabilities with PoCs and KEV inclusion
• Secure AI development environments and pipelines
• Patch enterprise management and remote access systems immediately
• Implement strict authentication and access control mechanisms
• Segment IT and OT networks to prevent lateral movement
• Apply compensating controls for unpatched ICS vulnerabilities
• Monitor underground forums and threat intelligence feeds
• Conduct continuous vulnerability assessments and penetration testing

---

Cyble’s attack surface management and vulnerability intelligence solutions help organizations proactively identify risks, prioritize remediation, and detect emerging threats. By integrating intelligence-driven security strategies, organizations can strengthen resilience across enterprise and critical infrastructure environments.

The post The Week in Vulnerabilities: Azure AI, Spring AI, Fortinet, and Critical ICS Exposure appeared first on Cyble.

Microsoft’s April 2026 Patch Tuesday fixes 165 vulnerabilities, including two zero-days, in one of the company’s largest monthly security updates.

The post Microsoft Issues Massive Windows Patch for 160+ Bugs, Including Two Zero-Days appeared first on TechRepublic.

Breaking the Patch Sound Barrier: Your Vulnerability Remediation Will Not Keep Up With AI Exploit Speed. So?

Many years ago while at Gartner, I wrote a blog post where I defined the concept of the “Patch Sound Barrier.” (original via Archive if you don’t believe that I was that smart back in 2013 :-)) This was an idea of a maximum speed that a given organization could fix a given vulnerability. If you full throttle beyond that, the engines will whirr louder, but the plane won’t fly faster, essentially.

The discussion arose from people constantly asking about the “optimal” or “desired” speed of patching. In my time as an analyst, I reviewed plenty of policies as well as “operational practices” (which is what people call it when they don’t actually follow their own policy “because reasons” :-)). BTW, I utterly hated “30 days flat” policies that say that vulnerabilities are fixed within 30 days no matter what, and always steered people to more nuanced risk-based policies.

One concept emerged: Given a particular IT environment, there is often a maximum physical speed at which an organization can patch. That is my Patch Sound Barrier.

Why bring this up now? Because the speed of vulnerability discovery is accelerating and so does exploit dev speed, but for many organizations, the speed of remediation simply cannot be accelerated. It is not accelerating, because it cannot. Full stop.

In the past, my guidance was to focus on better vulnerability prioritization so that you fix “real risks” using CISA KEV, EPSS, CVSS (OK, maybe not in the 2020s) and various tools that analyze the data and give you a ranked list.

But today we will have more vulns and prioritization tools won’t save you. If you have 1,000,000 vulns and 1000 are “risky for you” (however defined, let’s say you have the magical tool that reveals the true and real risk for your organization … ha), you can reduce the risk enough by fixing the 1000, if you have the bandwidth to fix the 1000 (in theory). Now, imagine you have 10m vulns (thanks AI!) and say 5000 are risky. But your bandwidth is there to only fix the 1000. So your risk goes up anyway, while you work as hard as before.

Now, you might say, “Anton, you’re making absolute statements. Surely things are flexible given enough money, enough talented engineers, and these days, enough LLM tokens?”

This is true in theory. But notice I said, “given the IT environment.”

There are definitely methods for accelerating remediation in a modern, beautifully and carefully designed environment (check our podcast episode 109 for those ideas).

But let’s review the scoreboard:

• The speed of vulnerability discovery? Increased.
• The speed of exploit development? Increased.
• The speed of remediation in legacy environments? Unchanged.

OK, some of you might still think “cannot” is too harsh. But people at modern organizations — all DevOps, CI/CD, open source and now AI agents — sometimes cannot comprehend what it takes to deal with a 1990s-era “DBA from Hell” who views his beloved database as a pet, not cattle, and will only allow a patch twice a year on a rigid schedule. Don’t even get me started on OT or the sea of unpatched edge appliances out there (there are “forti” millions of them there, I hear …)

So, yes, I spent years providing recommendations on how to deal with this “vulnerability flood.” This isn’t just about the current fascination with AI; at one point, the “boogeyman” was Metasploit, or something else. Or, as old people told me, SATAN / SANTA in the mid-1990s.

The fact remains: there are more risky vulns than you have time / capability. Today. AI can find the bugs in milliseconds, but it still can’t convince a legacy middleware admin to reboot a production server on a Tuesday. Or in July. Or in 2026. Or this freakin’ century …

So far it sounds like a rehash of my past ideas, but I actually want to leverage some thoughts from Phil Venables’ blog series about speed (“Things Are Getting Wild: Re-Tool Everything for Speed” and “Cybersecurity’s Need for Speed & Where To Find It”)

Before we go there, we must remember about reducing risk without remediating vulnerabilities. This was often the most insightful bit I shared with clients back in my analyst days: Sometimes your focus must be on reducing your risk, rather than fixing the bug. Kinda “assume the breach”, but for vulns: “assume you can’t patch” then what?

So, how do you get speed to break through the sound barrier (alert: these do NOT apply to everybody):

• Brutally destroy legacy systems; if it cannot be patched quickly and safely, don’t use it. Think “SaaS and Chromebooks” (and cloud) world. Don’t think 1980s ERP crap.
• Modernize. Kill pets. Grow cattle. Ideally, get replaceable tiny insects as cattle. They are simpler, more replaceable and less cute. Think “pets -> cattle -> insects.” [P.S. I do not recall where I got this idea, if I stole this from you, I am sorry — happy to restore credit if you tell me]
• Evolve IT culture to accept automatic patching, everywhere. If Chrome can autopatch 1b systems safely for 10 years, perhaps there is a way to do it, eh?
• Eliminate the risk entirely (e.g., via micro-segmentation or data avoidance) when patching is impossible. If you cannot remove the vuln, remove the connection, the system or the entire business process.
• Shift focus from patching to overall IT lifecycle velocity by decoupling the application from infrastructure. In faster IT, patching is faster. Fight friction, just like you fight toil.

These are some ideas on how to shift from “floor the gas” to “build a supersonic plane” to break the patch sound barrier! Are you still debating patch cycles, or are you architecting your way out of the need for them? Please share more!

Enjoy … living in interesting times!

---

Breaking the Patch Sound Barrier: Your Vulnerability Remediation Will Not Keep Up With AI Exploit… was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Breaking the Patch Sound Barrier: Your Vulnerability Remediation Will Not Keep Up With AI Exploit… appeared first on Security Boulevard.

Cyble Research & Intelligence Labs (CRIL) weekly vulnerability report tracked 1,960 vulnerabilities last week, reflecting a continued surge in vulnerability disclosures across enterprise and cloud ecosystems.

Of these, 248 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks and accelerating exploitation timelines.

Additionally, at least 5 vulnerabilities were actively discussed across underground forums, indicating strong attacker interest and rapid weaponization.

A total of 214 vulnerabilitieswere rated critical under CVSS v3.1, while 57 were rated critical under CVSS v4.0.

Furthermore, CISA added 4 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial side, CISA issued 7 ICS advisories covering 10 vulnerabilities, impacting vendors such as Schneider Electric, WAGO, and PTC.

Weekly Vulnerability Report's Top 5 CVE's

CVE-2026-32917 — OpenClaw (Critical)

CVE-2026-32917 is a critical remote command injection vulnerability affecting OpenClaw, an AI agent framework.

The flaw occurs in the iMessage attachment staging workflow, allowing attackers to inject commands into remote systems. Successful exploitation enables arbitrary command execution, potentially leading to full system compromise.

CVE-2026-4747 — FreeBSD RPCSEC_GSS (Critical)

CVE-2026-4747 is a critical stack-based buffer overflow vulnerability in FreeBSD caused by improper bounds checking in packet handling.

Attackers can send specially crafted requests to trigger a stack overflow, resulting in remote code execution with kernel-level privileges, enabling full system takeover.

CVE-2026-31883 — FreeRDP (Critical)

CVE-2026-31883 is a heap-based buffer overflow vulnerability in FreeRDP’s audio decoding components.

A malicious RDP server or man-in-the-middle attacker can exploit this flaw to execute arbitrary code, potentially compromising remote desktop clients and enterprise environments.

CVE-2026-1207 — Django (High)

CVE-2026-1207 is a SQL injection vulnerability in Django applications using PostGIS RasterField lookups.

Insufficient input validation allows attackers to inject malicious SQL queries, leading to data exposure, modification, and potential lateral movement within backend systems.

CVE-2025-53521 — F5 BIG-IP APM (Critical)

CVE-2025-53521 is a critical vulnerability in F5 BIG-IP Access Policy Manager, initially classified as a DoS flaw but later reclassified as unauthenticated remote code execution following active exploitation.

This vulnerability allows attackers to gain full control of access management systems, posing significant risks to enterprise networks.

Vulnerabilities Added to CISA KEV

CISA continued expanding its KEV catalog, reflecting active exploitation trends.

Notable addition:

CVE-2025-53521 — F5 BIG-IP APM
Initially considered a denial-of-service flaw, it was reclassified as a remote code execution vulnerability after evidence of active exploitation emerged.

This shows how vulnerabilities can evolve in severity over time, reinforcing the need for continuous reassessment and monitoring.

Critical ICS Vulnerabilities

CISA issued 7 ICS advisories covering 10 vulnerabilities, with several rated critical.

CVE-2026-2417 — Pharos Controls (Critical)

This vulnerability involves missing authentication for critical functions in Mosaic Show Controller firmware.

Attackers can exploit this flaw to gain unauthorized control over industrial systems, potentially disrupting operations.

CVE-2025-49844 — Schneider Electric Plant iT/Brewmaxx (Critical)

A use-after-free vulnerability in Schneider Electric’s industrial automation platform can lead to memory corruption and system compromise.

The presence of multiple vulnerabilities in this platform reflects systemic risk across widely deployed industrial environments.

CVE-2026-3587 — WAGO Managed Switches (Critical)

This vulnerability exposes hidden functionality in industrial switches, potentially enabling attackers to bypass controls and gain unauthorized access.

CVE-2026-4681 — PTC Windchill PDMLink (Critical)

This vulnerability involves improper control of code generation and currently has no available patch, leaving organizations exposed.

Grassroots DICOM (High, Unpatched)

A memory management flaw in Grassroots DICOM impacts healthcare imaging systems, with no vendor patch available, increasing risk to medical infrastructure.

Impacted Critical Infrastructure Sectors

Analysis shows that:

Commercial Facilities appear in 70% of ICS vulnerabilities

Critical Manufacturing and Energy each account for 60%

Healthcare, communications, and transportation sectors also face exposure.

This distribution shows the strong cross-sector dependencies, where vulnerabilities in industrial platforms can cascade into multiple critical infrastructure domains.

Conclusion

This week’s findings highlight a convergence of:

• Increasing vulnerability volume and severity
• Rapid exploitation cycles driven by PoC availability
• Active underground discussion and weaponization
• Persistent weaknesses in industrial control systems

With 248 publicly available PoCs, KEV additions confirming active exploitation, and unpatched ICS vulnerabilities, organizations face significant risk across both enterprise IT and operational technology environments.

Key Recommendations

• Prioritize vulnerabilities based on exploit availability and operational impact
• Patch critical enterprise systems and externally exposed services immediately
• Implement strong input validation and secure coding practices
• Harden remote access and RDP environments
• Segment IT and OT networks to limit lateral movement
• Apply compensating controls for unpatched ICS vulnerabilities
• Continuously monitor threat intelligence and underground forums
• Conduct regular vulnerability assessments and penetration testing

Cyble’s attack surface management and vulnerability intelligence solutions enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. By combining threat intelligence with proactive defense strategies, organizations can effectively mitigate evolving risks across enterprise and critical infrastructure environments

The post The Week in Vulnerabilities: OpenClaw, FreeBSD, F5 BIG-IP, and Critical ICS Bugs appeared first on Cyble.

Cyble Research & Intelligence Labs (CRIL) tracked 1,452 vulnerabilities last week, reflecting the continued expansion of the global attack surface.  

Of these, 222 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly accelerating the likelihood of exploitation in real-world environments.  

Additionally, multiple vulnerabilities surfaced across underground forums, with at least 7 actively discussed exploits, indicating strong adversarial interest and rapid weaponization cycles.  

A total of 128 vulnerabilities were rated critical under CVSS v3.1, while 47 were rated critical under CVSS v4.0, highlighting the severity of newly disclosed issues.  

Furthermore, CISA added 8 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.  

On the industrial front, CISA issued 12 ICS advisories covering 150 vulnerabilities, impacting major vendors including FESTO, Schneider Electric, Siemens, and Mitsubishi Electric.  

The Week’s Top Vulnerabilities 

CVE-2026-25769 — Wazuh (Critical) 

CVE-2026-25769 is a critical remote code execution vulnerability in Wazuh caused by the deserialization of untrusted data in cluster deployments.  

Attackers with access to a worker node can send malicious serialized payloads to the master node, resulting in remote code execution with root privileges. This enables full compromise of the centralized security monitoring infrastructure. 

CVE-2026-20131 — Cisco Secure Firewall Management Center (Critical) 

CVE-2026-20131 is a maximum-severity vulnerability allowing unauthenticated attackers to execute arbitrary Java code as root on affected systems.  

The vulnerability is reportedly being exploited by ransomware groups, enabling complete takeover of firewall management systems and downstream enterprise networks. 

CVE-2026-4342 — Kubernetes ingress-nginx (High) 

CVE-2026-4342 is a configuration injection vulnerability that allows attackers to inject malicious configurations via crafted ingress annotations.  

Successful exploitation can lead to remote code execution and exposure of Kubernetes secrets, significantly expanding attacker control across containerized environments. 

CVE-2026-22721 — VMware Aria Operations (High) 

CVE-2026-22721 is a privilege escalation vulnerability that allows attackers with limited access to elevate privileges to administrative levels.  

This enables attackers to manipulate monitoring systems, access sensitive data, and expand control across virtualized infrastructure. 

CVE-2026-33309 — Langflow AI Framework (Critical) 

CVE-2026-33309 is a critical vulnerability affecting Langflow, an AI workflow framework, enabling attackers to compromise application logic and underlying infrastructure.  

The flaw highlights the emerging attack surface in AI-driven platforms, where exploitation can lead to credential theft and full system compromise. 

Vulnerabilities Added to CISA KEV 

CISA continued expanding its KEV catalog, reflecting active exploitation trends. 

Notable additions include: 

• CVE-2026-20131 — Cisco FMC RCE vulnerability actively exploited by ransomware groups  

• CVE-2025-32432 — Craft CMS RCE vulnerability enabling full server takeover  

These additions emphasize the rapid transition from disclosure to exploitation, particularly in enterprise-facing systems. 

Critical ICS Vulnerabilities 

CISA issued 12 ICS advisories covering 150 vulnerabilities, with a strong concentration in industrial automation platforms.  

Festo Automation Suite with CODESYS (Multiple Critical CVEs) 

A large cluster of vulnerabilities affects Festo Automation Suite integrated with CODESYS, spanning multiple years and severity levels.  

These include: 

• Buffer overflows  

• Improper access control  

• Out-of-bounds writes  

• Missing authentication  

The accumulation of these flaws indicates systemic security weaknesses, enabling attackers to destabilize systems or gain persistent access. 

CVE-2018-10612 — Festo/CODESYS (Critical) 

This vulnerability involves improper access control, allowing attackers to bypass restrictions and gain unauthorized access to industrial systems.  

CVE-2021-30190 — Festo/CODESYS (Critical) 

A missing authentication vulnerability enabling attackers to execute critical functions without credentials, potentially leading to full system compromise.  

EV Charging Infrastructure Vulnerabilities (Critical) 

Critical vulnerabilities were also identified in EV charging platforms such as IGL-Technologies eParking.fi and CTEK Chargeportal.  

These flaws allow: 

• Unauthorized administrative access  

• Service disruption  

• Large-scale denial-of-service attacks  

The global deployment of EV infrastructure significantly amplifies the risk of coordinated attacks across energy and transportation ecosystems. 

Impacted Critical Infrastructure Sectors 

Analysis of ICS vulnerabilities shows a significant concentration in: 

• Energy infrastructure  

• Transportation systems  

• Industrial automation  

The increasing overlap between these sectors—particularly in EV ecosystems—creates interdependent risk, where a compromise in one domain can cascade into others.  

Conclusion 

This week’s findings highlight a convergence of: 

• Rapid vulnerability disclosure cycles  

• Active exploitation confirmed through KEV additions  

• Growing attack surface in AI and cloud-native environments  

• Deep-rooted security weaknesses in industrial systems  

With 222 publicly available PoCs, active underground discussions, and widespread ICS exposure, organizations face heightened risk across both IT and OT environments.  

Key Recommendations 

• Prioritize vulnerabilities based on exploit availability and severity  

• Secure AI frameworks and development pipelines  

• Harden Kubernetes and cloud-native environments  

• Implement strong authentication and access controls  

• Segment IT and OT networks to limit lateral movement  

• Address legacy vulnerabilities in ICS environments  

• Monitor underground forums and threat intelligence sources  

• Conduct continuous vulnerability assessments and penetration testing  

Cyble’s attack surface management and vulnerability intelligence solutions backed by its AI native platform, enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. By integrating threat intelligence with proactive security strategies, organizations can effectively defend against evolving threats across enterprise and critical infrastructure environments. 

Book your demo to experience Cyble’s AI native platform now! 

The post The Week in Vulnerabilities: AI Frameworks, VMware, and Critical ICS Exposure appeared first on Cyble.

Cyble Research & Intelligence Labs (CRIL) tracked 1,641 vulnerabilities between March 04 and March 10, 2026. Of these, 175 vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks. 

A total of 200 vulnerabilities were rated critical under CVSS v3.1, while 61 received critical severity under CVSS v4.0. 

Additionally, CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting confirmed exploitation in the wild, including legacy flaws still actively weaponized in operational environments. 

On the industrial side, CISA issued 9 ICS advisories covering 24 vulnerabilities, affecting vendors including Mitsubishi Electric, Hitachi Energy, Mobiliti, ePower, Everon, and Delta Electronics. 

The Week’s Top Vulnerabilities 

CVE-2026-21902 — Juniper Junos OS (Critical) 

CVE-2026-21902 is a critical authentication bypass and remote code execution vulnerability in Juniper Junos OS Evolved. The flaw exposes an internal anomaly detection service externally, allowing unauthenticated attackers to send crafted requests and execute arbitrary code as root. 

A publicly available PoC and underground forum discussions significantly increase the likelihood of exploitation. 

CVE-2026-20127 — Cisco SD-WAN (Critical) 

CVE-2026-20127 is a critical authentication bypass vulnerability affecting Cisco SD-WAN controllers. Due to flawed authentication logic, attackers can bypass peering authentication and gain administrative access over the network. 

Successful exploitation enables traffic manipulation, lateral movement, and persistent access across enterprise networks. 

CVE-2026-29000 — pac4j-jwt Library (Critical) 

CVE-2026-29000 is a critical authentication bypass vulnerability in the pac4j-jwt library. The flaw allows attackers with access to a public key to forge authentication tokens and impersonate any user, including administrators. 

CVE-2026-27971 — Qwik Framework (Critical) 

CVE-2026-27971 is a critical remote code execution vulnerability caused by unsafe deserialization in Qwik’s server-side RPC mechanism. A single malicious request can trigger arbitrary code execution on the backend server. 

CVE-2026-29128 — IDC SFX Satellite Receivers (Critical) 

CVE-2026-29128 involves hardcoded credentials and unauthenticated remote code execution in IDC SFX Series Satellite Receivers. Attackers can extract privileged credentials and execute commands as root, enabling full compromise of satellite communication infrastructure. 

Vulnerabilities Added to CISA KEV 

CISA continued expanding its KEV catalog with vulnerabilities reflecting active exploitation trends. 

Notable additions include: 

• CVE-2021-22681 — Rockwell Automation credential exposure vulnerability enabling unauthorized OT access 

• CVE-2017-7921 — Hikvision authentication bypass vulnerability still actively exploited years after disclosure 

These additions highlight the persistent risk of legacy vulnerabilities in both IT and OT environments. 

Critical ICS Vulnerabilities 

CISA issued 9 ICS advisories covering 24 vulnerabilities, with most rated high severity. 

CVE-2026-26051 — Mobiliti EV Charging Platform (Critical) 

CVE-2026-26051 is a critical missing authentication vulnerability in Mobiliti’s EV charging platform, allowing unauthenticated access to infrastructure systems. 

The risk is amplified by the absence of vendor patches or response, requiring organizations to implement independent mitigation controls. 

CVE-2026-22552 — ePower EV Charging Platform (Critical) 

CVE-2026-22552 is a critical authentication bypass vulnerability affecting ePower EV charging systems. Exploitation could enable unauthorized access to the charging infrastructure and service disruption. 

CVE-2026-26288 — Everon Platform (Critical) 

CVE-2026-26288 is a critical missing authentication vulnerability in Everon APIs, allowing attackers to access sensitive backend services without credentials. 

CVE-2026-1775 — Labkotec LID-3300IP (Critical) 

CVE-2026-1775 is a critical missing authentication vulnerability in Labkotec systems, where no fix is available for certain hardware versions, requiring device replacement. 

Impacted Critical Infrastructure Sectors 

Analysis shows that Energy and Transportation Systems account for 50% of ICS vulnerabilities, with Energy appearing in 62.5% of all cases . 

This highlights tightly coupled risks between energy infrastructure and transportation systems, particularly in emerging sectors such as EV charging ecosystems. 

Conclusion 

This week’s findings highlight a convergence of large-scale IT vulnerability disclosures, active exploitation trends, and increasing exposure across industrial environments. 

With 175 publicly available PoCs, active underground discussions, and KEV additions confirming exploitation, organizations must prioritize proactive defense strategies. 

Key recommendations include: 

• Prioritizing vulnerabilities based on exploit availability and risk 

• Securing internet-facing assets and critical infrastructure endpoints 

• Implementing strong authentication and access controls 

• Segmenting IT and OT environments to limit lateral movement 

• Replacing or isolating unsupported and unpatched systems 

• Continuously monitoring threat intelligence and underground activity 

• Conducting regular security assessments and penetration testing 

Cyble’s attack surface management solutions enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. Combined with threat intelligence and third-party risk intelligence, organizations can proactively defend against evolving threats across both IT and ICS environments. 

The post The Week in Vulnerabilities: Juniper, Cisco SD-WAN, and Critical ICS Exposure appeared first on Cyble.

AI can now scan codebases and generate hundreds of potential vulnerabilities in minutes. But when 112 bug reports collapse into 22 confirmed flaws and only two exploitable issues, the real disruption is how AI is reshaping the entire vulnerability lifecycle.

The post 112 or 22 to 2: Who Moved the Vulnerability Cheese? appeared first on Security Boulevard.

LexisNexis confirmed a data breach after hackers leaked stolen files, with attackers claiming they exploited the React2Shell vulnerability.

The post LexisNexis Hack Exposes 3.9M Records Through Unpatched React Vulnerability appeared first on TechRepublic.

Discover how the integration of large language models is transforming software security, lowering barriers for attackers, and necessitating autonomous defense platforms to keep pace with emerging threats.

The post The New Security Reality: When AI Accelerates Both Attack and Defense  appeared first on Security Boulevard.

The Notepad++ supply chain compromise is the latest proof that sophisticated adversaries are deliberately targeting the gap between two disciplines: Vulnerability management and detection and response. 

The post The Seam in Cybersecurity Defenses That Nation-States Keep Exploiting appeared first on Security Boulevard.