Introduction
This report is generated using Velma (Vulnerability Enhanced Learning Machine AI) – Rootshell’s exploit intelligence engine.
Velma focuses on one thing: understanding when vulnerabilities actually become a problem.
There’s no shortage of vulnerability data out there, and most of it is driven by static scores. But risk isn’t static. A vulnerability can sit there for months with little real-world relevance, then overnight become critical when exploit code is released or it starts being used in the wild.
Velma tracks that shift.
By analysing exploit availability, attacker activity, and how vulnerabilities are being used in real-world scenarios, Velma highlights what’s genuinely worth paying attention to – not just what’s highly scored, but what’s actually exploitable.
This report provides a current view of the threat landscape, prioritizing vulnerabilities that are actively being weaponised or realistically used in attack paths.
For most organizations, the challenge isn’t a lack of vulnerabilities – it’s knowing which ones actually matter.
Jump to:
Velma Threat Prioritization Matrix - April 26
Priority | Threat | CVE | Likelihood | Impact | Exploit Maturity | Velma Risk Score |
1 | Next.js RCE (CVSS 10) | CVE-2025-55182 | Very High | Very High | High | 9.9 (Critical) |
2 | Flowise Code Injection RCE | CVE-2025-59528 | High | Very High | High | 9.8 (Critical) |
3 | Fortinet Pre-Auth RCE | CVE-2026-35616 | Very High | Very High | High | 9.8 (Critical) |
4 | Marimo Pre-Auth RCE | CVE-2026-39987 | High | Very High | High | 9.7 (Critical) |
5 | Adobe Acrobat Zero-Day RCE | CVE-2026-34621 | Very High | High | High | 9.6 (Critical) |
6 | Chrome Exploited Use-After-Free | CVE-2026-5281 | Very High | High | High | 9.5 (Critical) |
7 | Cisco ISE RCE Cluster | CVE-2026-20147 / 148 / 186 / 180 | High | Very High | High | 9.4 (Critical) |
8 | Apache ActiveMQ RCE | CVE-2026-34197 | High | Very High | Medium | 9.2 (Critical) |
9 | Quest KACE Auth Bypass | CVE-2025-32975 | High | High | High | 9.1 (Critical) |
10 | PaperCut Auth Bypass | CVE-2023-27351 | Very High | High | High | 9.0 (Critical) |
11 | Kentico Authenticated RCE | CVE-2025-2749 | Medium | High | Medium | 8.5 (High) |
12 | Cisco SD-WAN File Overwrite | CVE-2026-20122 | Medium | High | Medium | 8.3 (High) |
13 | Cisco SD-WAN Info Disclosure | CVE-2026-20133 | Medium | Medium | Medium | 7.9 (High) |
14 | NetScaler Memory Overread | CVE-2026-3055 | Medium | Medium | Medium | 7.5 (Medium) |
15 | SharePoint Spoofing (Exploited) | CVE-2026-32201 | Medium | Medium | High | 7.4 (Medium) |
16 | Zimbra XSS | CVE-2025-48700 | Medium | Medium | Medium | 7.2 (Medium) |
17 | JetBrains TeamCity Path Traversal | CVE-2024-27199 | Medium | Medium | Medium | 7.0 (Medium) |
18 | Legacy Excel RCE (Historical Exploit) | CVE-2009-0238 | Low | Medium | Low | 6.5 (Medium) |
Executive Summary
Velma assesses that multiple vulnerabilities in this dataset are actively exploited in the wild, with several enabling unauthenticated remote code execution across internet-facing systems.
Immediate Priorities:
- Patch or isolate externally exposed RCE vulnerabilities (Next.js, Fortinet, Adobe, Chrome)
- Secure identity and access control platforms (Cisco ISE, Quest, PaperCut)
- Reduce attack chain viability by addressing internal escalation paths (Cisco SD-WAN, Kentico)
Failure to act exposes the organisation to a high-probability attack path from initial access to full system and network compromise, including ransomware, data exfiltration, and operational disruption.
Velma Intelligence Assessment
🔴 Critical Risks
Next.js – Remote Code Execution (CVSS 10.0)
CVE-2025-55182
Velma Assessment:
- Likelihood: Very High
- Impact: Very High
Intelligence Insight:
Critical flaw in modern web application stack enabling direct server-side execution. Increasingly used for initial access into cloud-native environments.
Business Impact:
- Full application and server compromise
- Cloud credential theft (metadata access)
- Rapid lateral movement across cloud workloads
Flowise – Code Injection / RCE
CVE-2025-59528
Velma Insight:
AI/LLM platforms are emerging high-value targets. This flaw allows execution of arbitrary JavaScript with full runtime privileges.
Fortinet – Pre-Authentication RCE
CVE-2026-35616
Velma Insight:
- No authentication required
- Direct exploitation of security infrastructure
👉 Historically, Fortinet flaws are rapidly weaponised and widely scanned.
Marimo – Pre-Auth RCE
CVE-2026-39987
Velma Insight:
Pre-auth RCE = instant compromise of exposed services
Adobe Acrobat – Actively Exploited Zero-Day
CVE-2026-34621
Velma Insight:
- Delivered via malicious PDF files
- High success rate in phishing campaigns
Chrome – Use-After-Free Exploit
CVE-2026-5281
Velma Insight:
- Active exploitation confirmed
- User-driven attack vector at scale
Cisco ISE – Remote Code Execution Cluster
Multiple CVEs
Velma Insight:
Identity infrastructure compromise = network-wide trust breakdown
Apache ActiveMQ – Code Injection
CVE-2026-34197
Velma Insight:
Exploitable via JMX / management interfaces, enabling JVM-level execution.
Authentication Bypass Class (Quest KACE / PaperCut)
Velma Insight:
Authentication bypass vulnerabilities remain one of the most reliable real-world exploitation paths, often used in ransomware campaigns.
🟠 Velma Priority Group: High Risks
Kentico RCE / Cisco SD-WAN / Cisco API
Velma Insight:
These vulnerabilities enable:
- Post-auth compromise
- File manipulation
- Data access and persistence
👉 Particularly dangerous when combined with credential theft from initial access vectors
🟡 Velma Priority Group: Medium Risks
NetScaler / SharePoint / Zimbra / JetBrains / Legacy Excel
Velma Insight:
Primarily used for:
- Reconnaissance
- Session hijacking
- Attack chain support
Not typically standalone critical, but increase overall attack success probability when chained.
Velma Correlated Threat View
Velma identifies a multi-layered attack ecosystem:
- Initial Access: Chrome, Adobe, Fortinet, Next.js
- Execution: ActiveMQ, Flowise, Marimo
- Identity Compromise: Cisco ISE, Quest KACE, PaperCut
- Expansion: Cisco SD-WAN, Kentico
- Persistence & Data Access: Zimbra, SharePoint, NetScaler
Velma Composite Risk Posture
- Critical Risks: 10
- High Risks: 3
- Medium Risks: 5
Overall Assessment: 🔴 Critical (Active Exploitation Confirmed)
Vulnerability Data (Full List)
Top Reported Known Exploitable Issues:
1. Next.js – Remote Code Execution (CVSS 10.0)
CVE-2025-55182
Velma Assessment:
- Likelihood: Very High
- Impact: Very High
Intelligence Insight:
Critical flaw in modern web application stack enabling direct server-side execution. Increasingly used for initial access into cloud-native environments.
Business Impact:
- Full application and server compromise
- Cloud credential theft (metadata access)
- Rapid lateral movement across cloud workloads
2. Flowise – Code Injection / RCE
CVE-2025-59528
Velma Insight:
AI/LLM platforms are emerging high-value targets. This flaw allows execution of arbitrary JavaScript with full runtime privileges.
3. Fortinet – Pre-Authentication RCE
CVE-2026-35616
Velma Insight:
- No authentication required
- Direct exploitation of security infrastructure
👉 Historically, Fortinet flaws are rapidly weaponised and widely scanned.
4. Marimo – Pre-Auth RCE
CVE-2026-39987
Velma Insight:
Pre-auth RCE = instant compromise of exposed services
5. Adobe Acrobat – Actively Exploited Zero-Day
CVE-2026-34621
Velma Insight:
- Delivered via malicious PDF files
- High success rate in phishing campaigns
6. Chrome – Use-After-Free Exploit
CVE-2026-5281
Velma Insight:
- Active exploitation confirmed
- User-driven attack vector at scale
7. Cisco ISE – Remote Code Execution Cluster
Multiple CVEs
Velma Insight:
Identity infrastructure compromise = network-wide trust breakdown
8. Apache ActiveMQ – Code Injection
CVE-2026-34197
Velma Insight:
Exploitable via JMX / management interfaces, enabling JVM-level execution.
9–10. Authentication Bypass Class (Quest KACE / PaperCut)
Velma Insight:
Authentication bypass vulnerabilities remain one of the most reliable real-world exploitation paths, often used in ransomware campaigns.
11 – 13. Kentico RCE / Cisco SD-WAN / Cisco API
Velma Insight:
These vulnerabilities enable:
- Post-auth compromise
- File manipulation
- Data access and persistence
👉 Particularly dangerous when combined with credential theft from initial access vectors
14 – 18. Velma Priority Group: Medium Risks
NetScaler / SharePoint / Zimbra / JetBrains / Legacy Excel
Velma Insight:
Primarily used for:
- Reconnaissance
- Session hijacking
- Attack chain support
Not typically standalone critical, but increase overall attack success probability when chained.
