Friday, February 20, 2026
Malware

The Week In Vulnerabilities: SolarWinds, Ivanti, And Critical ICS Exposure

by CybrGPT
0 comment

Critical SolarWinds, Ivanti EPMM, Microsoft Office, and Siemens ICS vulnerabilities are being discussed on underground forums, while 15 CISA ICS advisories impacted Energy and Critical Manufacturing sectors.

Cyble Research & Intelligence Labs (CRIL) tracked 1,158 vulnerabilities last week. Of these, 251 vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks. 

A total of 94 vulnerabilities were rated critical under CVSS v3.1, while 43 were rated critical under CVSS v4.0.

In parallel, CISA issued 15 ICS advisories covering 87 vulnerabilities affecting industrial environments. These vulnerabilities impacted vendors including Siemens, Yokogawa, AVEVA, Hitachi Energy, ZLAN, ZOLL, and Airleader. 

Additionally, 8 vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reflecting confirmed exploitation in the wild. 

The Week’s Top Vulnerabilities 

CVE-2025-40554 — SolarWinds Web Help Desk (Critical) 

CVE-2025-40554 is a critical authentication bypass vulnerability affecting SolarWinds Web Help Desk versions prior to 2026.1. The flaw allows unauthenticated remote attackers to invoke privileged functionality without valid credentials, potentially leading to full compromise of helpdesk systems. 

report-ad-banner

Cyble observed this vulnerability being discussed on underground forums shortly after disclosure, and a public PoC is available. The vulnerability’s presence in enterprise environments increases the risk of initial access and lateral movement. 

CVE-2026-1340 — Ivanti Endpoint Manager Mobile (Critical) 

CVE-2026-1340 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM). A remote, unauthenticated attacker can exploit the flaw to achieve arbitrary remote code execution without user interaction. 

The vulnerability has been captured in dark web discussions and has a publicly available PoC , significantly lowering the barrier to exploitation. 

CVE-2026-21509 — Microsoft Office (High Severity, Actively Exploited) 

CVE-2026-21509 is a feature-bypass vulnerability in Microsoft Office that allows crafted documents to circumvent built-in security protections. Attackers can deliver malicious Office files that execute payloads once opened by the victim. 

The flaw has been actively exploited by threat actors including APT28 and RomCom , highlighting its operational impact. 

CVE-2026-1529 — Keycloak (High Impact) 

CVE-2026-1529 affects Red Hat’s Keycloak and involves improper validation of JWT invitation token signatures. Attackers can manipulate trusted token contents to gain unauthorized access to organizational resources. 

A PoC is available, and the vulnerability surfaced on underground forums shortly after disclosure. 

CVE-2026-23906 — Apache Druid (Critical) 

CVE-2026-23906 is a critical authentication bypass vulnerability in Apache Druid, enabling unauthorized access to sensitive data stores. 

CVE-2026-0488 — SAP CRM & SAP S/4HANA (Critical) 

CVE-2026-0488 is a critical code injection vulnerability affecting SAP CRM and SAP S/4HANA. An authenticated attacker can exploit improper function module calls to execute arbitrary SQL statements, potentially resulting in full database compromise. 

Vulnerabilities Added to CISA KEV 

CISA added 8 vulnerabilities to the KEV catalog during the reporting period. The most important of these were: 

  • CVE-2026-24423 — SmarterTools SmarterMail unauthenticated RCE 
  • CVE-2026-21510 — Microsoft Windows Shell protection mechanism bypass 

KEV additions reflect confirmed exploitation in the wild and often signal heightened ransomware or espionage activity. 

Critical ICS Vulnerabilities 

CISA issued 15 ICS advisories covering 87 vulnerabilities, with the majority rated high severity. 

CVE-2026-25084 & CVE-2026-24789 — ZLAN5143D (Critical) 

These critical vulnerabilities in ZLAN Information Technology Co.’s ZLAN5143D device involve missing authentication for critical functions. 

Successful exploitation could allow attackers to bypass authentication controls or reset device passwords, potentially enabling unauthorized configuration changes and interference with industrial communications. Researchers also identified internet-facing instances, increasing exposure risk. 

CVE-2025-52533 — Siemens SINEC OS (Critical) 

CVE-2025-52533 is a critical out-of-bounds write vulnerability in Siemens SINEC OS before version 3.3, potentially enabling memory corruption and system compromise in industrial network environments. 

CVE-2026-1358 — Airleader Master (Critical) 

CVE-2026-1358 is a critical, unrestricted file-upload vulnerability in Airleader Master systems. Successful exploitation could allow attackers to upload malicious files, potentially resulting in remote code execution in OT environments. 

Impacted Critical Infrastructure Sectors 

Analysis of the ICS advisories shows that Critical Manufacturing and Energy sectors appear in 98.9% of reported vulnerabilities, showcasing concentrated exposure in these environments. 

The cross-sector nature of these vulnerabilities underscores the interdependencies between Energy, Manufacturing, Transportation, Water, and Food systems. 

Conclusion 

The convergence of high-volume IT vulnerabilities and significant ICS exposure highlights the continued expansion of the attack surface across enterprise and industrial environments. With over 250 PoCs publicly available and multiple KEV additions confirming active exploitation, organizations must prioritize rapid remediation and risk-based vulnerability management. 

Security best practices include: 

  • Prioritizing vulnerabilities based on risk and exploit availability 
  • Protecting web-facing and internet-exposed assets 
  • Implementing strict IT/OT network segmentation 
  • Deploying multi-factor authentication and strong access controls 
  • Conducting regular vulnerability assessments and penetration testing 
  • Monitoring underground forums and KEV updates for early warning signals 
  • Establishing ransomware-resistant backup strategies 
  • Maintaining OT-specific incident response procedures 

Cyble’s comprehensive attack surface management solutions help organizations continuously monitor internal and external assets, prioritize remediation, and detect early warning signals of exploitation. Additionally, Cyble’s threat intelligence and third-party risk intelligence capabilities provide visibility into vulnerabilities actively discussed in underground communities, enabling proactive defense against both IT and ICS threats.

Source link

You Might Be Interested In

You may also like

Remcos RAT Expands Real-Time Surveillance Capabilities

Cryptojacking Campaign Exploits Driver to Boost Monero Mining

Record Number of Ransomware Victims and Groups in 2025

Infostealer Targets OpenClaw to Loot Victim’s Digital Life

Why Ransomware Remains One of Cybersecurity’s Most Persistent Threats

Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Stay informed with the latest cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

Facebook Twitter Instagram
Weather Data Source: 30 tage wettervorhersage

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

©2025 cybrgpt.com – All rights reserved.

@2025 - All Right Reserved.
View Cart Checkout Continue Shopping
Close