This week’s intelligence highlights critical vulnerabilities across AI frameworks, VMware environments, Kubernetes, EV charging platforms, and industrial control systems that expand the global attack surface and increase exploitation risk. Notable high-risk flaws include RCEs in Wazuh and Cisco FMC, a critical deserialization bug in Langflow, and widespread ICS/EV exposures now tracked in CISA’s KEV catalog. #Wazuh #Langflow
Keypoints
- Cyble tracked 1,452 vulnerabilities last week, with 222 having publicly available Proof-of-Concept (PoC) exploits and at least 7 actively discussed in underground forums.
- 128 vulnerabilities were rated critical under CVSS v3.1 and 47 under CVSS v4.0; CISA added 8 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
- Top disclosed flaws include CVE-2026-25769 (Wazuh deserialization RCE), CVE-2026-20131 (Cisco FMC unauthenticated RCE), CVE-2026-33309 (Langflow critical), CVE-2026-4342 (Kubernetes ingress-nginx configuration injection), and CVE-2026-22721 (VMware Aria privilege escalation).
- CISA issued 12 ICS advisories covering 150 vulnerabilities affecting vendors such as Festo/CODESYS, Schneider Electric, Siemens, and Mitsubishi Electric, revealing systemic weaknesses like buffer overflows and missing authentication.
- Critical EV charging platform flaws (IGL-Technologies eParking.fi, CTEK Chargeportal) enable unauthorized administrative access, service disruption, and large-scale denial-of-service attacks.
- Recommended mitigations include prioritizing fixes by exploit availability and severity, securing AI frameworks and cloud-native stacks, enforcing strong authentication and segmentation between IT and OT, and addressing legacy ICS issues.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Exploitation of enterprise-facing systems such as Cisco FMC and Craft CMS to gain remote code execution; quoted content: (‘…allowing unauthenticated attackers to execute arbitrary Java code as root on affected systems.’).
- [T1203 ] Exploitation for Client Execution – Remote code execution via deserialization and crafted payloads in services like Wazuh and Langflow enabling full system compromise; quoted content: (‘remote code execution with root privileges’).
- [T1068 ] Exploitation for Privilege Escalation – Vulnerabilities that allow attackers with limited access to elevate privileges to administrative levels (e.g., VMware Aria); quoted content: (‘allows attackers with limited access to elevate privileges to administrative levels.’).
- [T1499 ] Endpoint Denial of Service – Vulnerabilities in EV charging platforms permitting large-scale service disruption and DoS conditions; quoted content: (‘Large-scale denial-of-service attacks’).
- [T1078 ] Valid Accounts / Authentication Bypass – Missing authentication and improper access control in ICS and automation stacks enabling unauthorized access or execution of critical functions; quoted content: (‘missing authentication vulnerability enabling attackers to execute critical functions without credentials.’).
Indicators of Compromise
- [CVE IDs ] tracked high-risk and exploited flaws – CVE-2026-25769, CVE-2026-20131, and other CVEs such as CVE-2026-33309, CVE-2026-4342, CVE-2026-22721 (and several more).
- [Products/Services ] affected systems and vendors – Wazuh, Cisco Secure Firewall Management Center (FMC), Langflow, Kubernetes ingress-nginx, VMware Aria Operations (and other enterprise/AI/OT products).
- [Domains/Platforms ] impacted infrastructure and services – eParking.fi (IGL-Technologies), CTEK Chargeportal, and other EV charging platforms implicated in critical vulnerabilities.
Read more: https://cyble.com/blog/cyble-weekly-vulnerabilities-report-apr-01/