Table of Contents
The Week in Vulnerabilities: 2026 Starts with 100 PoCs and New Exploits
The year may be a little more than a week old, but threat actors have already amassed nearly 100 Proof of Concepts and newly exploited vulnerabilities.
Cyble Vulnerability Intelligence researchers tracked 678 vulnerabilities in the last week, a decline from the high volume of new vulnerabilities observed in the last few weeks of 2025.
Nearly 100 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities.
A total of 42 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 15 received a critical severity rating based on the newer CVSS v4.0 scoring system.
Below are some of the more significant IT and industrial control system (ICS) vulnerabilities highlighted by Cyble in recent reports to clients.
The Week’s Top IT Vulnerabilities
CVE-2025-60534 is a critical authentication bypass vulnerability affecting Blue Access Cobalt v02.000.195, which could allow an attacker to selectively proxy requests to operate functionality on the web application without the need for authentication, potentially allowing full admin access to application and door systems.
CVE-2025-68428 is a critical path traversal and local file inclusion vulnerability in the jsPDF JavaScript library’s Node.js builds. It affects methods like loadFile, addImage, html, and addFont, where unsanitized user input as file paths could enable attackers to read arbitrary server files and embed their contents into generated PDFs.
CVE-2020-36923 is a medium-severity insecure direct object reference (IDOR) vulnerability in Sony BRAVIA Digital Signage 1.7.8, which could allow attackers to bypass authorization controls and access hidden system resources like ‘/#/content-creation’ by manipulating client-side access restrictions.
CISA added its first two vulnerabilities of 2026 to the Known Exploited Vulnerabilities (KEV) catalog: A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability. The agency added 245 vulnerabilities to the KEV catalog in 2025.
CVE-2025-37164 is a 10.0-severity Code Injection vulnerability in HPE’s OneView IT infrastructure management software up to version 10.20 that has had a publicly available PoC since last month, while CVE-2009-0556 is a 9.3-rated Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac that was first known to be exploited in April 2009.
Notable vulnerabilities discussed in open-source communities include CVE-2025-13915, a critical authentication bypass vulnerability in IBM API Connect that could allow remote unauthenticated attackers to circumvent authentication controls and gain unauthorized access to sensitive API management functions. Another was CVE-2025-68668, a 9.9-severity sandbox bypass vulnerability in the n8n workflow automation platform’s Python Code Node that uses Pyodide.
Another vulnerability getting attention is CVE-2025-52691, a maximum-severity unauthenticated arbitrary file upload vulnerability in SmarterMail email servers. The flaw affects SmarterMail versions before Build 9413 and could allow remote attackers to upload malicious files to any server location without requiring credentials, which could lead to remote code execution (RCE), full server compromise, data theft, or ransomware deployment.
Cyble dark web researchers observed a threat actor (TA) on a cybercrime forum advertising a zero-day vulnerability allegedly affecting the latest version of Microsoft Word. The TA described the vulnerability as affecting a Dynamic Link Library (DLL) module that Microsoft Word loads without proper verification due to the absence of absolute path validation, allegedly enabling remote code execution and local privilege escalation exploitation. The TA did not provide technical proof of concept, affected version numbers, or independent verification; therefore, the claim remains unverified.
ICS Vulnerabilities
Three ICS vulnerabilities also merit priority attention by security teams.
CVE-2025-3699 is a Missing Authentication for Critical Function vulnerability affecting multiple versions of Mitsubishi Electric Air Conditioning Systems. Successful exploitation of the vulnerability could have far-reaching consequences beyond simple unauthorized access. By bypassing authentication, an attacker could gain full control over the air conditioning system, enabling them to manipulate environmental conditions within commercial facilities. This could lead to equipment overheating, disruption of medical environments, or production downtime. Additionally, access to sensitive information stored within the system, such as configuration files, user credentials, or operational logs, could provide attackers with valuable intelligence for further compromise.
CVE-2025-59287, a vulnerability disclosed by Microsoft in the Windows Server Update Services (WSUS) application, impacts servers running Schneider Electric EcoStruxure Foxboro DCS Advisor. Deserialization of untrusted data in WSUS could allow an unauthorized attacker to execute code over a network.
CVE-2018-4063 is a remote code execution vulnerability in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3 that was added to CISA’s KEV database last month after attacks were detected on OT network perimeter devices.
Conclusion
New vulnerabilities declining closer to long-term trends would be welcome news if it continues, but that still leaves security teams with hundreds of new vulnerabilities a week to contend with, many of which have PoCs or active exploits. In that challenging environment, rapid, well-targeted actions are needed to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.
Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.