The Week in Vulnerabilities: Cyble Urges D-Link, React Server Fixes

The Week in Vulnerabilities: Cyble Urges D-Link, React Server Fixes

/in

IT and ICS vulnerabilities

Cyble Vulnerability Intelligence researchers tracked 591 vulnerabilities in the last week, and more than 30 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 69 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 26 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the more critical IT and ICS vulnerabilities flagged by Cyble in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-60854 is a critical command injection vulnerability found in the D-Link R15 (AX1500) router firmware 1.20.01 and below. The flaw has a severity score of 9.8 and requires no authentication or user interaction to exploit, making it highly dangerous for affected systems. 

CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in the last week: 

CVE-2025-55182 is a critical pre-authentication remote code execution (RCE) vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability has been reportedly targeted by China-linked threat groups. 

CVE-2021-26829 is a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR that was targeted in recent attacks by the pro-Russian hacktivist group TwoNet on a honeypot simulating a water treatment facility, where the threat actors used default credentials for initial access, exploited the flaw to deface the HMI login page, and disabled logs and alarms in a little more than a day. 

Five days after adding CVE-2021-26829 to the KEV catalog, CISA added CVE-2021-26828, a high-severity Unrestricted Upload of File with Dangerous Type vulnerability affecting OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows. The flaw could allow remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. 

CISA also added two Android vulnerabilities to the KEV catalog, both high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Neither vulnerability has been added to the National Vulnerability Database (NVD) yet. 

Notable vulnerabilities discussed in open-source communities included: 

CVE-2025-13223, a type confusion vulnerability in Google Chrome‘s V8 JavaScript and WebAssembly engine, allowing remote attackers to exploit heap corruption via a crafted HTML page, potentially leading to arbitrary code execution. 

CVE-2025-11001,  a directory traversal remote code execution vulnerability in 7-Zip, stemming from improper handling of symbolic links in ZIP files, potentially allowing attackers to escape extraction directories and execute arbitrary code in the context of a service account upon user interaction with crafted archives.  

CVE-2025-58034, an OS command injection vulnerability in Fortinet FortiWeb web application firewalls. 

CVE-2025-41115, a critical privilege escalation and user impersonation vulnerability in Grafana Enterprise’s SCIM provisioning feature, which could allow attackers to create accounts impersonating privileged users, modify dashboards, access databases, alter alerts, and pivot to connected systems. 

CVE-2025-59366, a critical authentication bypass vulnerability in ASUS AiCloud routers, potentially allowing unauthorized execution of specific router functions via path traversal and OS command injection. 

Vulnerabilities Under Discussion on the Dark Web 

Cyble dark web researchers observed multiple threat actors (TA) on dark web and cybercrime forums discussing various exploits and weaponizing multiple vulnerabilities, including: 

CVE-2025-60709: A Windows Common Log File System (CLFS) Driver elevation of privilege vulnerability that could allow an authorized attacker to elevate privileges locally through an out-of-bounds read flaw. The specific flaw exists within the clfs.sys driver and results from improper validation of user-supplied data, which can lead to a read past the end of an allocated memory region.  

Local attackers can disclose sensitive information on affected Microsoft Windows installations and potentially exploit this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel, resulting in privilege escalation. 

CVE-2025-5931: A high-severity privilege escalation vulnerability in the Dokan Pro WordPress plugin, which stems from improper user identity validation during the staff password reset procedure, allowing attackers with vendor-level access to escalate their privileges to staff member level and then change arbitrary user passwords, including those of administrators, potentially leading to a full account takeover. 

CVE-2025-64446: A critical unauthenticated path traversal vulnerability in Fortinet FortiWeb WAF that could allow full administrative compromise of affected appliances via crafted HTTP(S) requests. The flaw is a relative path traversal (sometimes called “path confusion”) issue in the FortiWeb GUI / management API that could let an attacker reach an internal CGI handler and execute privileged operations without valid credentials. In practice, this becomes an authentication bypass that enables remote admin‑level control and, effectively, remote code execution on the WAF. 

ICS Vulnerabilities 

In addition to the OpenPLC ScadaBR vulnerabilities noted by CISA, Cyble threat intelligence researchers flagged four additional industrial control system (ICS) vulnerabilities in recent reports to clients. 

CVE-2024-3871 is a critical Stack-Based Buffer Overflow vulnerability affecting Emerson Appleton UPSMON-PRO, versions 2.6 and prior. Successful exploitation of the vulnerability could allow remote attackers to execute arbitrary code on affected installations of Appleton UPSMON-PRO. 

CVE-2025-13483 is a Missing Authentication for Critical Function vulnerability affecting SiRcom SMART Alert (SiSA), version 3.0.48. Successful exploitation of the vulnerability could enable an attacker to remotely activate or manipulate emergency sirens. 

CVE-2025-13658 is a Command Injection vulnerability affecting Longwatch versions 6.309 to 6.334. Successful exploitation could allow an unauthenticated attacker to gain remote code execution with elevated privileges. 

CVE-2025-13510 is a Missing Authentication for Critical Function vulnerability affecting Iskra iHUB and iHUB Lite, all versions. Successful exploitation could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials. 

Conclusion 

The wide range of critical and exploited vulnerabilities in this week’s report highlights the breadth of threats faced by security teams, who must respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.  

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.  

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.  

The post The Week in Vulnerabilities: Cyble Urges D-Link, React Server Fixes appeared first on Cyble.

Cyble – ​Read More