Cyble Vulnerability Intelligence researchers tracked 678 vulnerabilities in the last week, a decline from the high volume of new vulnerabilities observed in the last few weeks of 2025.  

Nearly 100 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 42 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 15 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Below are some of the more significant IT and industrial control system (ICS) vulnerabilities highlighted by Cyble in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-60534 is a critical authentication bypass vulnerability affecting Blue Access Cobalt v02.000.195, which could allow an attacker to selectively proxy requests to operate functionality on the web application without the need for authentication, potentially allowing full admin access to application and door systems. 

CVE-2025-68428 is a critical path traversal and local file inclusion vulnerability in the jsPDF JavaScript library’s Node.js builds. It affects methods like loadFile, addImage, html, and addFont, where unsanitized user input as file paths could enable attackers to read arbitrary server files and embed their contents into generated PDFs. 

CVE-2020-36923 is a medium-severity insecure direct object reference (IDOR) vulnerability in Sony BRAVIA Digital Signage 1.7.8, which could allow attackers to bypass authorization controls and access hidden system resources like ‘/#/content-creation’ by manipulating client-side access restrictions. 

CISA added its first two vulnerabilities of 2026 to the Known Exploited Vulnerabilities (KEV) catalog: A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability. The agency added 245 vulnerabilities to the KEV catalog in 2025. 

CVE-2025-37164 is a 10.0-severity Code Injection vulnerability in HPE’s OneView IT infrastructure management software up to version 10.20 that has had a publicly available PoC since last month, while CVE-2009-0556 is a 9.3-rated Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac that was first known to be exploited in April 2009. 

Notable vulnerabilities discussed in open-source communities include CVE-2025-13915, a critical authentication bypass vulnerability in IBM API Connect that could allow remote unauthenticated attackers to circumvent authentication controls and gain unauthorized access to sensitive API management functions. Another was CVE-2025-68668, a 9.9-severity sandbox bypass vulnerability in the n8n workflow automation platform’s Python Code Node that uses Pyodide. 

Another vulnerability getting attention is CVE-2025-52691, a maximum-severity unauthenticated arbitrary file upload vulnerability in SmarterMail email servers. The flaw affects SmarterMail versions before Build 9413 and could allow remote attackers to upload malicious files to any server location without requiring credentials, which could lead to remote code execution (RCE), full server compromise, data theft, or ransomware deployment. 

Cyble dark web researchers observed a threat actor (TA) on a cybercrime forum advertising a zero-day vulnerability allegedly affecting the latest version of Microsoft Word. The TA described the vulnerability as affecting a Dynamic Link Library (DLL) module that Microsoft Word loads without proper verification due to the absence of absolute path validation, allegedly enabling remote code execution and local privilege escalation exploitation. The TA did not provide technical proof of concept, affected version numbers, or independent verification; therefore, the claim remains unverified. 

ICS Vulnerabilities 

Three ICS vulnerabilities also merit priority attention by security teams. 

CVE-2025-3699 is a Missing Authentication for Critical Function vulnerability affecting multiple versions of Mitsubishi Electric Air Conditioning Systems. Successful exploitation of the vulnerability could have far-reaching consequences beyond simple unauthorized access. By bypassing authentication, an attacker could gain full control over the air conditioning system, enabling them to manipulate environmental conditions within commercial facilities. This could lead to equipment overheating, disruption of medical environments, or production downtime. Additionally, access to sensitive information stored within the system, such as configuration files, user credentials, or operational logs, could provide attackers with valuable intelligence for further compromise. 

CVE-2025-59287, a vulnerability disclosed by Microsoft in the Windows Server Update Services (WSUS) application, impacts servers running Schneider Electric EcoStruxure Foxboro DCS Advisor. Deserialization of untrusted data in WSUS could allow an unauthorized attacker to execute code over a network. 

CVE-2018-4063 is a remote code execution vulnerability in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3 that was added to CISA’s KEV database last month after attacks were detected on OT network perimeter devices. 

Conclusion 

New vulnerabilities declining closer to long-term trends would be welcome news if it continues, but that still leaves security teams with hundreds of new vulnerabilities a week to contend with, many of which have PoCs or active exploits. In that challenging environment, rapid, well-targeted actions are needed to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: 2026 Starts with 100 PoCs and New Exploits  appeared first on Cyble.

Cyble – ​Read More

The cyber threat environment in Australia and New Zealand experienced a new escalation throughout 2025, driven by a surge in initial access sales, ransomware operations, and high-impact data breaches. According to our Threat Landscape Report Australia and New Zealand 2025, threat activity observed between January and November 2025 reveals a complex and commercialized underground ecosystem, where compromised network access is actively bought, sold, and exploited across multiple sectors. 

The threat landscape report identifies a persistent focus on data-rich industries, with threat actors disproportionately targeting Retail, Banking, Financial Services, and Insurance (BFSI), Professional Services, and Healthcare organizations. These sectors continue to attract attackers due to the volume of sensitive personally identifiable information (PII), financial data, and downstream access opportunities they offer. 

Growth of Initial Access Sales in 2025 

A central finding of the report is the continued growth of the initial access market. Cyble Research and Intelligence Labs (CRIL) documented 92 instances of compromised access sales affecting organizations in Australia and New Zealand during 2025. Retail organizations were the most heavily targeted, accounting for 31 incidents, or approximately 34% of all observed activity. This figure is more than three times higher than that of the next most targeted sector. 

The BFSI sector recorded nine compromised access listings, followed by Professional Services with seven incidents. Combined, these three sectors accounted for more than half of all initial access listings observed in the region during the reporting period. 

This concentration reflects a strategic approach by initial access brokers. Retail and BFSI organizations routinely handle large volumes of customer data and payment information, making them valuable targets for monetization or follow-on ransomware attacks. Professional Services firms, meanwhile, often provide access to client environments, creating opportunities for supply chain exploitation. 

A Fragmented but Active Access Brokerage Market 

Analysis of the compromised access marketplace reveals a highly fragmented ecosystem rather than one dominated by a small number of major actors. The threat actor known as “cosmodrome” emerged as the most prolific seller of compromised access during the period, followed closely by an actor operating under the alias “shopify.” 

Despite their activity, these actors did not control the market. The top seven most active sellers were collectively responsible for only about 26% of the observed access listings. The remaining activity originated from dozens of individual threat actors who posted listings once or twice, suggesting a low barrier to entry and a marketplace populated by both specialized brokers and opportunistic participants. 

This structure indicates that initial access sales have become an accessible revenue stream for a wide range of threat actors, reinforcing the resilience and scalability of the underground economy. 

High-Impact Incidents Highlight Broader Risks 

Several notable incidents documented in the threat landscape report illustrate how initial access is translated into real-world impact. 

In June 2025, the threat group Scattered Spider was suspected of orchestrating a cyberattack against a major Australian airline. Attackers reportedly gained unauthorized access to a customer service portal, resulting in a data breach that exposed records belonging to nearly six million customers. The compromised data included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. 

The airline confirmed that more sensitive information, such as credit card details, financial records, and passport data, was not affected because it was not stored in the breached system. Investigators believe the incident may be part of a broader campaign targeting the aviation sector. 

In March, threat actor “Stari4ok” advertised the sale of unauthorized access to a large Australian retail chain on the Russian-language cybercrime forum Exploit. The actor claimed the access involved a hosting server containing approximately 250 GB of data, including a 30 GB SQL database with a user table of around 71,000 records. Based on the claimed annual revenue of USD 2.6 billion and the described industry, the victim appears to be a major retailer, although this has not been independently confirmed. The access was listed for auction with a starting price of USD 1,500. 

Another listing emerged in May when the threat actor “w_tchdogs” offered unauthorized access to a portal belonging to an Australian telecommunications provider on the English-language forum Darkforums. The actor claimed the access provided entry to domain administration tools and critical network information. The listing price was USD 750. 

Data Breaches and Hacktivist Activity 

Not all incidents were tied directly to access sales. In mid-April, unidentified threat actors gained unauthorized access to the IT systems of a prominent accounting firm operating across Australia and New Zealand. The organization publicly confirmed the breach, stating that some data may have been compromised and that an investigation was ongoing. While business operations continued, the firm warned clients of potential phishing attempts and obtained court injunctions in both countries to prevent the dissemination of affected data. As of the time of reporting, no threat group had claimed responsibility. 

Hacktivist activity also remained visible. In January 2025, the group RipperSec claimed to have accessed an optical-fiber network monitoring device belonging to an Australian cable and media services provider. The device was reportedly no longer supported by its vendor. As proof, the group released images suggesting internal defacement and possible data manipulation. 

Want a deeper insight into these threats? Check out Cyble’s Australia and New Zealand Threat Landscape Report 2025 or schedule a demo to see check out how Cyble can protect your organization against these threats. 

The post Initial Access Sales Accelerated Across Australia and New Zealand in 2025 appeared first on Cyble.

Cyble – ​Read More