All news with #cisa kev tag

⚠️ CISA added two Android Framework vulnerabilities to the KEV Catalog: CVE-2025-48572 (privilege escalation) and CVE-2025-48633 (information disclosure). Both issues show evidence of active exploitation and pose significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by their due dates; CISA strongly urges all organizations to prioritize timely patching and other mitigations.

⚠️ CISA has added an actively exploited cross-site scripting flaw, CVE-2021-26829, to its Known Exploited Vulnerabilities catalog after reports of operational abuse against OpenPLC ScadaBR. The XSS affects Windows 1.12.4 and Linux 0.9.1 via system_settings.shtm and was used to deface HMI pages and disable logs. Federal civilian agencies must remediate by December 19, 2025; operators should apply vendor fixes, change default credentials, enable logging and monitor for web-layer manipulation and outbound callbacks.

🔔 CISA has added CVE-2021-26829 — a cross-site scripting vulnerability in OpenPLC ScadaBR — to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Cross-site scripting is a frequent attack vector that can enable data theft, session hijacking, and unauthorized actions, posing significant risks to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV-listed flaws by the specified due date; CISA also strongly urges all organizations to prioritize timely remediation. CISA will continue to update the catalog as new threats meet its criteria.

🔴 Oracle Identity Manager is affected by a critical unauthenticated remote code execution flaw, CVE-2025-61757, impacting versions 12.2.1.4.0 and 14.1.2.1.0. Disclosed by Searchlight Cyber on 20 November and reported by Oracle on 21 November, the bug was added to the CISA KEV catalog the same day. The issue resides in the REST WebServices component and carries a CVSS score of 9.8, enabling HTTP access to execute arbitrary code and potentially allowing full takeover. CISA urges immediate patching or isolation of affected services from the public internet.

🚨 CISA has added CVE-2025-61757, a pre-authentication remote code execution vulnerability in Oracle Identity Manager, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by December 12 under BOD 22-01. The flaw, disclosed by Searchlight Cyber, abuses an authentication bypass in REST APIs by appending parameters such as ?WSDL or ;.wadl to URL paths, exposing a Groovy compilation endpoint. Researchers showed that Groovy's annotation-processing can execute code at compile time, enabling pre-auth RCE. Oracle released a fix on October 21, 2025; CISA warned the issue is being actively exploited.

🔒 CISA has ordered U.S. federal agencies to remediate a FortiWeb OS command injection vulnerability (CVE-2025-58034) within seven days after reports of active exploitation. Fortinet warns the flaw can allow an authenticated attacker to execute unauthorized code via crafted HTTP requests or CLI commands. The agency added the issue to its Known Exploited Vulnerabilities Catalog and set a November 25 deadline under BOD 22-01. CISA cited related zero-day activity (CVE-2025-64446) and recommended expedited fixes.

⚠️CISA has added CVE-2025-13223, a Google Chromium V8 type confusion vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is a frequent attack vector and poses significant risk to the federal enterprise and other organizations using Chromium-based engines. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the required due date; CISA strongly urges all organizations to prioritize timely patching and vulnerability management to reduce exposure.

⚠️ CISA has added CVE-2025-58034, a Fortinet FortiWeb OS command code injection vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The agency recommends a reduced remediation timeframe of one week due to recent and ongoing exploitation and points to BOD 23-02 for steps to limit exposure from internet-accessible management interfaces. Although BOD 22-01 applies to Federal Civilian Executive Branch agencies, CISA strongly urges all organizations to prioritize timely remediation and vulnerability management for KEV entries.

🔒 CISA has added CVE-2025-64446 — a Fortinet FortiWeb path traversal vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by the required due date. CISA strongly urges all organizations to prioritize timely patching, apply available mitigations, and monitor for indicators of compromise. CISA will continue to add vulnerabilities that meet catalog criteria.

🔔CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-9242 (WatchGuard Firebox out-of-bounds write), CVE-2025-12480 (Gladinet Triofox improper access control), and CVE-2025-62215 (Microsoft Windows race condition). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the required due dates. CISA urges all organizations to prioritize timely remediation and other mitigations to reduce exposure to active threats.

🔔 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-21042, an out-of-bounds write in Samsung mobile devices that CISA reports is being actively exploited. This class of flaw can enable code execution or device compromise and poses a significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate listed KEVs by required due dates. CISA strongly urges all organizations to prioritize timely remediation and to apply vendor updates and mitigations without delay.

⚠️ CISA warns that a critical remote command execution vulnerability, tracked as CVE-2025-48703, is being exploited in the wild against CentOS Web Panel (CWP). The flaw impacts all CWP versions before 0.9.8.1204 and allows unauthenticated attackers who know a valid username to inject shell commands via the file-manager changePerm t_total parameter. The vendor fixed the issue in 0.9.8.1205, and federal agencies have until Nov 25 under BOD 22-01 to remediate or stop using the product.

🚨 CISA added two vulnerabilities affecting Gladinet CentreStack/Triofox and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. CVE-2025-11371 (CVSS 7.5) can expose files or directories to external parties, while CVE-2025-48703 (CVSS 9.0) is an OS command injection enabling remote code execution via the t_total parameter. Huntress reported live reconnaissance activity against Gladinet, and Federal civilian agencies must remediate by November 25, 2025.

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-11371 affecting Gladinet CentreStack and Triofox (files or directories exposed to external parties), and CVE-2025-48703 affecting CWP Control Web Panel (OS command injection). These entries reflect evidence of active exploitation and elevated risk. CISA urges timely remediation under BOD 22-01 and recommends organizations prioritize patching, mitigations, and compensating controls.

🔒 CISA added two vulnerabilities to its Known Exploited Vulnerabilities Catalog affecting Dassault Systèmes DELMIA Apriso. The issues—CVE-2025-6204 (code injection) and CVE-2025-6205 (missing authorization)—have evidence of active exploitation and pose significant risk. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed CVEs by the required due dates. CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

🔔 CISA ordered U.S. federal agencies to urgently patch a critical, actively exploited Windows Server Update Services vulnerability (CVE-2025-59287) that enables unauthenticated remote code execution with SYSTEM privileges. Microsoft released out-of-band security updates after proof-of-concept exploit code appeared, and administrators are urged to install them immediately or disable the WSUS Server role as an interim mitigation. Security firms reported scanning and attacks against WSUS instances exposed on default ports 8530/8531, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog, mandating federal patching under BOD 22-01.

⚠ Microsoft released an out-of-band security update (October 23, 2025) to remediate a critical Windows Server Update Service (WSUS) remote code execution vulnerability, CVE-2025-59287, after a prior fix proved incomplete. The flaw affects WSUS on Windows Server 2012, 2016, 2019, 2022, and 2025 and could allow an unauthenticated actor to execute code with SYSTEM privileges. CISA urges organizations to identify affected WSUS servers, apply the update and reboot, or temporarily disable the WSUS Server Role or block inbound TCP ports 8530/8531 as mitigations until the patch is installed.

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation: CVE-2025-54236, affecting Adobe Commerce and Magento, and CVE-2025-59287, affecting Microsoft Windows Server Update Services (WSUS). The issues—an improper input validation flaw and a deserialization of untrusted data vulnerability—are common attack vectors that pose significant risk to enterprise networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by required due dates, and CISA strongly urges all organizations to prioritize timely remediation as part of their vulnerability management.

⚠️ CISA has added a critical defect in Motex LANSCOPE Endpoint Manager to its Known Exploited Vulnerabilities catalog after observing active exploitation. Tracked as CVE-2025-61932 (CVSS v4: 9.3), the flaw affects on-premises Client program and Detection Agent components and allows arbitrary code execution via specially crafted packets. Motex released patches for multiple 9.3/9.4 builds, and federal agencies are advised to remediate by November 12, 2025.

🔒 CISA has confirmed active exploitation of CVE-2025-61884, an unauthenticated SSRF in the Oracle Configurator runtime, and added it to its Known Exploited Vulnerabilities catalog. Federal agencies are required to patch the issue by November 10, 2025. Oracle released a fix on October 11 rated 7.5 and BleepingComputer says the update blocks a leaked exploit tied to ShinyHunters and related extortion activity.