By SAFE Threat Research Team
This week’s CVE activity is shaped more by older vulnerabilities that remain exploitable in real environments than by disclosure volume alone. The strongest signals span collaboration platforms, network and device management, archiving tools, and ICS-adjacent software, with exploitation paths tied to file upload, local file inclusion, command injection, path traversal, SSRF, deserialization, and authorization bypass.
The priority set includes Zimbra, SharePoint, Ubiquiti UniFi OS, WinRAR, Cisco Unified Communications Manager, PTC Windchill, Lantronix EDS5000, and FUXA. These products do not share a single deployment model, but they share a practical attacker value: access to files, credentials, device control, privileged workflows, or operational systems. Remediation priority depends on the deployment context and exposure score, not the CVE score alone.
Vulnerability Landscape
Trending Vulnerabilities
Twenty-six CVEs showed confirmed exploitation signals, all of them pre-existing vulnerabilities. That points to risk from known issues that remain deployed, reachable, or difficult to remediate.
The priority is exposure and impact validation. Teams should confirm whether affected products are still present in production, whether they are reachable from attacker-controlled paths, and whether compensating controls reduce the likelihood of successful exploitation.
Where exposure exists, defenders should assess the likely post-exploitation impact. Many of this week’s trending CVEs can support attacker objectives such as file access, command execution, configuration takeover, credential theft, privilege escalation, or lateral movement. That makes validation especially important for collaboration platforms, network infrastructure, and edge-facing systems where compromise can extend beyond a single vulnerable host.
Top CVEs to Watch
Zimbra Collaboration Suite arbitrary file upload under active exploitation (CVE-2022-27925)
CVE-2022-27925 targets Zimbra Collaboration Suite (ZCS), exploiting a flaw in the mboximport functionality. This vulnerability allows authenticated administrators to upload arbitrary files, resulting in possible directory traversal and, when chained with CVE-2022-37042, unauthenticated remote code execution.
The vulnerability is actively exploited by ransomware groups. Organizations are urged to apply vendor updates immediately as listed in CISA’s KEV. This flaw is part of broader campaigns that use malware like SharkLoader, indicating its use to deliver payloads, including Cobalt Strike Beacon, to compromised systems. Zimbra users should prioritize patching processes and enhance network defenses to detect and prevent further exploitation.
SharePoint and CentreStack: collaboration infrastructure in active intrusion activity (CVE-2025-49704, CVE-2025-49706, CVE-2025-11371)
On-premises SharePoint Server vulnerabilities CVE-2025-49704 and CVE-2025-49706 were used by Storm-2603 for initial access in ransomware-linked activity. Post-exploitation behavior included remote access tooling, administrator account creation, BYOVD-based defense evasion, and attempts to maintain long-term access.
CVE-2025-11371 should be treated as a related signal, not necessarily part of the same exploit chain. In the same investigation context, probing activity targeted sensitive files such as web.config, consistent with attempts to access configuration material. This keeps CentreStack and Triofox relevant for defenders reviewing exposed collaboration and file-sharing infrastructure.
Ubiquiti UniFi OS command injection vulnerability actively exploited (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910)
The UniFi OS activity is best described as an exploit chain rather than three independent bugs. CVE-2026-34908 and CVE-2026-34909 enable bypassing the authentication gateway to access internal functionality, while CVE-2026-34910 is the command-injection component.
These vulnerabilities have been highlighted in the CISA Known Exploited Vulnerabilities (KEV) Catalog, underscoring their critical status. Ubiquiti has advised immediate application of patches as per vendor instructions to mitigate associated risks. Organizations are urged to review their asset exposure, particularly to ensure that publicly accessible systems are patched or appropriately segmented from critical networks. The heightened EPSS score and active evidence of malware linkage reflect the ongoing threat landscape surrounding these vulnerabilities.
WinRAR path traversal vulnerabilities are actively exploited (CVE-2025-8088, CVE-2025-6218)
WinRAR, a widely used archiving tool, contains path traversal vulnerabilities identified as CVE-2025-8088 and CVE-2025-6218. These flaws allow attackers to execute arbitrary code on Windows systems by using specially crafted archive files.
The vulnerabilities have been actively exploited in the wild, notably by the threat actor GhostShell in a cyber espionage campaign. This campaign targets Ukraine’s UAV ecosystem and defense sector through phishing, deploying a multi-stage malware framework that includes the GhostShell implant and Vidar v2 infostealer.
Organizations using WinRAR are advised to immediately apply the latest patch released by RARLAB. The vulnerabilities are highlighted in CISA’s KEV database, which emphasizes the critical need for mitigation. Users should also consider discontinuing the product if patches are unavailable. The ramifications of this exploitation are substantial, given the confirmed links to advanced persistent threat actors and the potential for severe disruption in affected sectors.
Cisco Unified Communications Manager SSRF vulnerability actively exploited (CVE-2026-20230)
CVE-2026-20230 affects Cisco Unified Communications Manager, introducing a critical server-side request forgery (SSRF) vulnerability that attackers exploit to potentially elevate privileges to root on affected devices. This vulnerability arises from improper input validation in HTTP requests on devices where the WebDialer service is enabled, which is typically disabled by default.
Cisco has issued a critical advisory highlighting the risks of privilege escalation to root. Active exploitation has been observed, with attackers attempting to exploit the vulnerability to write files and establish additional footholds. Organizations are advised to strictly follow Cisco’s mitigation guidelines and ensure patching is performed in compliance with CISA’s BOD 26-04. Given the vulnerability’s presence in the CISA KEV and its high exploit maturity, addressing this SSRF flaw is vital for protecting communication infrastructure from unauthorized manipulations and broader system breaches.
PTC Windchill and FlexPLM: RCE via deserialization under active exploitation (CVE-2026-12569)
CVE-2026-12569 affects PTC Windchill PDMlink and PTC FlexPLM products and is characterized by improper input validation leading to the deserialization of untrusted data. This flaw enables an unauthenticated attacker to execute remote code by sending a specially crafted network request. The vulnerability impacts all CPS versions and releases prior to 11.0 M030, with a critical CVSS score of 9.8.
Active exploitation has been observed, and the issue is listed as a Known Exploited Vulnerability by CISA as of June 25, 2026. Organizations are urged to implement vendor-provided mitigations in accordance with CISA’s BOD 26-04 guidance. If mitigations are unfeasible, consider stopping the use of vulnerable products. The high exploit maturity makes timely intervention critical for security teams.
What Security Teams Should Prioritize
- Begin with internet-facing Zimbra, SharePoint, CentreStack, and Triofox instances, given their value for initial access, file exposure, configuration theft, and persistence.
- Assess and update Ubiquiti UniFi OS deployments immediately, and review exposed instances for unauthorized configuration changes, token access, session abuse, and device-management activity.
- Push WinRAR fixes through endpoint management workflows, with priority for users who routinely handle external archives, including engineering, finance, procurement, legal, and defense-related teams.
- Enhance monitoring of systems associated with Storm-2603, GhostShell, StrikeShark, and other active exploitation signals, focusing on suspicious file writes, new admin accounts, outbound connections, and post-exploitation tooling.
- Foster segmentation and strict access controls around network infrastructure to prevent leveraged exploitation from spreading.
In a week where exploitation signals span collaboration platforms, network controllers, endpoint utilities, communications systems, and OT-adjacent tools, prioritization cannot be driven by vulnerability scores alone. Security teams need to understand where threat activity intersects with real exposure, reachable assets, business-critical systems, and existing controls.
SAFE CTEM brings these signals together by connecting threat intelligence, exposure validation, asset criticality, and business impact. This helps teams move beyond reactive patching and focus on remediation, where it reduces the most risk.
The real question is not simply, “What needs to be patched?” It is: Which assets are reachable, business-critical, exploitable, and insufficiently protected by compensating controls?
