Threat Research

The Week in Vulnerabilities: OpenClaw, FreeBSD, F5 BIG-IP, and Critical ICS Bugs

Cyble
The Week in Vulnerabilities: OpenClaw, FreeBSD, F5 BIG-IP, and Critical ICS Bugs
Cyble’s weekly report tracked a surge of 1,960 vulnerabilities—including 248 with public proof-of-concept exploits and active underground discussion—while CISA added multiple entries to its Known Exploited Vulnerabilities catalog. Critical flaws affecting enterprise and industrial systems (notably OpenClaw and F5 BIG-IP) and unpatched ICS advisories for vendors like Schneider Electric, WAGO, and PTC highlight rising risk across IT and OT environments. #OpenClaw #F5BIGIP

Keypoints

  • Cyble tracked 1,960 vulnerabilities in one week, with 248 public PoCs and at least five vulnerabilities actively discussed in underground forums.
  • 214 vulnerabilities were rated critical under CVSS v3.1 and 57 under CVSS v4.0, indicating substantial high-severity exposure.
  • CISA added 4 vulnerabilities to its KEV catalog, confirming active exploitation, including CVE-2025-53521 (F5 BIG-IP APM).
  • Top tracked enterprise CVEs include CVE-2026-32917 (OpenClaw remote command injection), CVE-2026-4747 (FreeBSD stack overflow), and CVE-2026-31883 (FreeRDP heap overflow).
  • CISA issued 7 ICS advisories covering 10 vulnerabilities affecting vendors such as Schneider Electric, WAGO, PTC, and Pharos Controls—several rated critical and some unpatched.
  • Report recommendations emphasize prioritizing PoC-backed vulnerabilities, immediate patching of critical and exposed services, IT/OT segmentation, and compensating controls for unpatched ICS flaws.

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – Remote command injection in OpenClaw’s iMessage attachment staging allows attackers to inject and run commands on remote systems (‘…allowing attackers to inject commands into remote systems…’)
  • [T1203 ] Exploitation for Client Execution – Buffer overflow and use-after-free flaws in FreeBSD, FreeRDP, and other products are exploited to achieve remote code execution (‘…resulting in remote code execution…’ and ‘…allows arbitrary command execution…’)
  • [T1068 ] Exploitation for Privilege Escalation – Stack-based overflow in FreeBSD can lead to kernel-level execution and full system takeover (‘…remote code execution with kernel-level privileges…’)
  • [T1190 ] Exploit Public-Facing Application – SQL injection in Django PostGIS RasterField lookups enables attackers to execute malicious queries against backend databases (‘…SQL injection vulnerability in Django applications using PostGIS RasterField lookups…’)
  • [T1557 ] Adversary-in-the-Middle – FreeRDP audio decoding heap overflow can be triggered by a malicious RDP server or a man-in-the-middle actor to compromise clients (‘…A malicious RDP server or man-in-the-middle attacker can exploit this flaw…’)

Indicators of Compromise

  • [CVE ] Tracked vulnerability identifiers cited as observable references – CVE-2026-32917, CVE-2025-53521, and 7 more CVEs mentioned in the report
  • [Vulnerable products ] Named affected software/hardware useful for asset matching – OpenClaw (iMessage attachment workflow), F5 BIG-IP APM, and 5 more products (FreeBSD, FreeRDP, Django, Schneider Electric, WAGO)
  • [Advisories/catalog entries ] Official advisories and catalog records indicating active exploitation – CISA KEV addition CVE-2025-53521 and 7 ICS advisories covering 10 vulnerabilities

Read more: https://cyble.com/blog/cyble-weekly-vulnerability-report-apr-08/