Executive Summary
Velma identifies multiple high-confidence attack paths across commonly deployed technologies, with several vulnerabilities already being actively exploited or highly likely to be weaponised.
The most significant risks centre around:
Remote code execution vulnerabilities in externally exposed or widely used platforms (SolarWinds, VMware, Chrome)
Backup and recovery systems (Veeam), which remain a primary ransomware target
Authentication bypass and endpoint management platforms (Ivanti), providing direct routes to privileged access
What stands out is not just the severity of individual vulnerabilities, but how they can be combined — enabling a progression from initial access through to full infrastructure compromise.
Immediate focus should be on:
Prioritising vulnerabilities with confirmed or likely exploit activity
Securing externally accessible services and user-driven entry points (browsers, web apps)
Protecting backup infrastructure and core control systems
Addressing authentication and privilege escalation pathways
Without this focus, organisations remain exposed to a clear and well-established attack chain — from entry point through to operational impact, including ransomware and data compromise.
Velma Intelligence Assessment
🔴 Critical Risks
Veeam Backup & Replication – RCE
Backup infrastructure remains a primary ransomware target. These vulnerabilities allow code execution directly on backup systems, removing recovery options and increasing impact significantly.
SolarWinds Web Help Desk – RCE
Deserialization vulnerabilities are consistently reliable and quickly weaponised, making this a strong initial access vector.
SolarWinds Serv-U – Exploit Chain
Multiple vulnerabilities combine to enable full system compromise, including admin account creation and root execution.
Chrome Exploit Chain
One of the highest likelihood entry points. Commonly used in phishing, malvertising, and watering hole attacks.
VMware Aria Operations (KEV)
Confirmed active exploitation in the wild with no authentication required.
Ivanti Endpoint Manager – Authentication Bypass
Endpoint management platforms provide centralised control, making exploitation particularly high impact.
🟠 High Risks
Cisco SD-WAN privilege escalation
Veeam file manipulation and persistence
Cisco arbitrary file overwrite
FileZen command injection
Microsoft MSHTML security bypass (linked to APT activity)
🟡 Medium Risks
VMware SSRF
Apple web content processing
Cisco information disclosure
Wing FTP information leakage
Velma Correlated Threat View
Velma identifies a clear multi-stage attack pathway:
Initial Access: Chrome, MSHTML, Ivanti
Execution: SolarWinds, VMware, FileZen
Escalation: Cisco SD-WAN, Veeam
Impact: Backup compromise, infrastructure control, ransomware potential
Vulnerability Data (Full List)
Top Reported Known Exploitable Issues:
Chrome
CVE-2026-3909 / CVE-2026-3910 – Out-of-bounds write and sandbox escape vulnerabilities enabling remote code execution.
Cisco SD-WAN
CVE-2022-20775 – Privilege escalation via CLI enabling root command execution.
Cisco
CVE-2026-20128 – Information disclosure vulnerability
CVE-2026-20122 – Arbitrary file overwrite vulnerability
SolarWinds Web Help Desk
CVE-2025-26399 – Deserialization vulnerability enabling remote command execution
SolarWinds Serv-U
CVE-2025-40538–40541 – Multiple vulnerabilities enabling admin creation and root-level execution
VMware Aria Operations
CVE-2026-22719 – Command injection with active exploitation (CISA KEV)
VMware Workspace
CVE-2021-22054 – SSRF vulnerability
Ivanti Endpoint Manager
CVE-2026-1603 – Authentication bypass exposing credential data
Apple iOS / macOS
CVE-2023-43000 – Memory corruption via malicious web content
Veeam Backup & Replication
CVE-2026-21666 / 21667 / 21708 – Remote code execution
CVE-2026-21668 / 21672 – File manipulation and privilege escalation
FileZen
CVE-2026-25108 – Command injection vulnerability
Wing FTP
CVE-2025-47813 – Information disclosure via error messages
Microsoft MSHTML
CVE-2026-21513 – Security feature bypass linked to APT28 activity
