Introduction
This report is generated using Velma (Vulnerability Enhanced Learning Machine AI) – Rootshell’s exploit intelligence engine.
Velma focuses on one thing: understanding when vulnerabilities actually become a problem.
There’s no shortage of vulnerability data out there, and most of it is driven by static scores. But risk isn’t static. A vulnerability can sit there for months with little real-world relevance, then overnight become critical when exploit code is released or it starts being used in the wild.
Velma tracks that shift.
By analysing exploit availability, attacker activity, and how vulnerabilities are being used in real-world scenarios, Velma highlights what’s genuinely worth paying attention to – not just what’s highly scored, but what’s actually exploitable.
This report provides a current view of the threat landscape, prioritizing vulnerabilities that are actively being weaponised or realistically used in attack paths.
For most organizations, the challenge isn’t a lack of vulnerabilities – it’s knowing which ones actually matter.
Jump to:
Velma Threat Prioritization Matrix - March 26
Priority | Threat | CVE | Likelihood | Impact | Exploit Maturity | Velma Score |
|---|---|---|---|---|---|---|
1 | Veeam Backup RCE | 21666 / 21667 / 21708 | High | Very High | High | 9.8 |
2 | SolarWinds Web Help Desk | 26399 | High | Very High | High | 9.7 |
3 | SolarWinds Serv-U Chain | 40538–40541 | High | Very High | High | 9.6 |
4 | Chrome Exploit Chain | 3909 / 3910 | Very High | High | High | 9.4 |
5 | VMware Aria Ops (KEV) | 22719 | High | Very High | High | 9.3 |
6 | Ivanti Auth Bypass | 1603 | High | High | High | 9.0 |
7 | Cisco SD-WAN | 20775 | Medium | Very High | Medium | 8.6 |
8 | Veeam LPE | 21668 / 21672 | Medium | High | Medium | 8.4 |
9 | Cisco File Overwrite | 20122 | Medium | High | Medium | 8.2 |
10 | FileZen Injection | 25108 | Medium | High | Medium | 8.1 |
11 | Microsoft MSHTML | 21513 | Medium | High | Medium | 8.0 |
12 | VMware SSRF | 22054 | Medium | Medium | Medium | 7.5 |
13 | Apple Memory Corruption | 43000 | Medium | Medium | Medium | 7.3 |
14 | Cisco Info Disclosure | 20128 | Low | Medium | Low | 6.5 |
15 | Wing FTP | 47813 | Low | Low | Low | 5.8 |
Executive Summary
Velma identifies multiple high-confidence attack paths across commonly deployed technologies, with several vulnerabilities already being actively exploited or highly likely to be weaponised.
The most significant risks centre around:
Remote code execution vulnerabilities in externally exposed or widely used platforms (SolarWinds, VMware, Chrome)
Backup and recovery systems (Veeam), which remain a primary ransomware target
Authentication bypass and endpoint management platforms (Ivanti), providing direct routes to privileged access
What stands out is not just the severity of individual vulnerabilities, but how they can be combined — enabling a progression from initial access through to full infrastructure compromise.
Immediate focus should be on:
Prioritising vulnerabilities with confirmed or likely exploit activity
Securing externally accessible services and user-driven entry points (browsers, web apps)
Protecting backup infrastructure and core control systems
Addressing authentication and privilege escalation pathways
Without this focus, organisations remain exposed to a clear and well-established attack chain — from entry point through to operational impact, including ransomware and data compromise.
Velma Intelligence Assessment
🔴 Critical Risks
Veeam Backup & Replication – RCE
Backup infrastructure remains a primary ransomware target. These vulnerabilities allow code execution directly on backup systems, removing recovery options and increasing impact significantly.
SolarWinds Web Help Desk – RCE
Deserialization vulnerabilities are consistently reliable and quickly weaponised, making this a strong initial access vector.
SolarWinds Serv-U – Exploit Chain
Multiple vulnerabilities combine to enable full system compromise, including admin account creation and root execution.
Chrome Exploit Chain
One of the highest likelihood entry points. Commonly used in phishing, malvertising, and watering hole attacks.
VMware Aria Operations (KEV)
Confirmed active exploitation in the wild with no authentication required.
Ivanti Endpoint Manager – Authentication Bypass
Endpoint management platforms provide centralised control, making exploitation particularly high impact.
🟠 High Risks
Cisco SD-WAN privilege escalation
Veeam file manipulation and persistence
Cisco arbitrary file overwrite
FileZen command injection
Microsoft MSHTML security bypass (linked to APT activity)
🟡 Medium Risks
VMware SSRF
Apple web content processing
Cisco information disclosure
Wing FTP information leakage
Velma Correlated Threat View
Velma identifies a clear multi-stage attack pathway:
Initial Access: Chrome, MSHTML, Ivanti
Execution: SolarWinds, VMware, FileZen
Escalation: Cisco SD-WAN, Veeam
Impact: Backup compromise, infrastructure control, ransomware potential
Vulnerability Data (Full List)
Top Reported Known Exploitable Issues:
Chrome
CVE-2026-3909 / CVE-2026-3910 – Out-of-bounds write and sandbox escape vulnerabilities enabling remote code execution.
Cisco SD-WAN
CVE-2022-20775 – Privilege escalation via CLI enabling root command execution.
Cisco
CVE-2026-20128 – Information disclosure vulnerability
CVE-2026-20122 – Arbitrary file overwrite vulnerability
SolarWinds Web Help Desk
CVE-2025-26399 – Deserialization vulnerability enabling remote command execution
SolarWinds Serv-U
CVE-2025-40538–40541 – Multiple vulnerabilities enabling admin creation and root-level execution
VMware Aria Operations
CVE-2026-22719 – Command injection with active exploitation (CISA KEV)
VMware Workspace
CVE-2021-22054 – SSRF vulnerability
Ivanti Endpoint Manager
CVE-2026-1603 – Authentication bypass exposing credential data
Apple iOS / macOS
CVE-2023-43000 – Memory corruption via malicious web content
Veeam Backup & Replication
CVE-2026-21666 / 21667 / 21708 – Remote code execution
CVE-2026-21668 / 21672 – File manipulation and privilege escalation
FileZen
CVE-2026-25108 – Command injection vulnerability
Wing FTP
CVE-2025-47813 – Information disclosure via error messages
Microsoft MSHTML
CVE-2026-21513 – Security feature bypass linked to APT28 activity
