CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding six new vulnerabilities that are currently being exploited in the wild. This update includes five vulnerabilities announced on October 14, 2025, and one additional vulnerability added on October 15, 2025. The vulnerabilities affect a range of widely used products, including Microsoft Windows, Rapid7 Velociraptor, SKYSEA Client View, IGEL OS, and Adobe Experience Manager. Among the most critical is CVE-2025-24990, an elevation of privilege flaw in the Agere Modem driver bundled with all Windows releases, which allows local attackers to gain SYSTEM-level access through untrusted pointer dereference. Microsoft addressed this issue by removing the vulnerable driver in the October 2025 Patch Tuesday update, though this may impact dependent hardware. Another significant vulnerability is CVE-2025-54253, a code execution flaw in Adobe Experience Manager Forms, which has been confirmed as actively exploited and poses a substantial risk to federal and enterprise environments. The Rapid7 Velociraptor vulnerability (CVE-2025-6264) involves incorrect default permissions, potentially allowing unauthorized access or privilege escalation. SKYSEA Client View is affected by an improper authentication vulnerability (CVE-2016-7836), while IGEL OS faces a risk from the use of expired cryptographic keys (CVE-2025-47827). Additionally, Microsoft Windows is impacted by an improper access control vulnerability (CVE-2025-59230). CISA’s KEV Catalog serves as a critical resource for tracking vulnerabilities that are confirmed to be exploited in real-world attacks, and federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines. CISA strongly encourages all organizations, not just federal agencies, to prioritize patching these vulnerabilities to reduce exposure to active cyber threats. The addition of these vulnerabilities underscores the ongoing risk posed by unpatched systems and the importance of timely remediation. CISA’s public alerts emphasize that these vulnerabilities are not theoretical and are being leveraged by malicious actors in current attack campaigns. The agency’s updates are based on evidence of active exploitation, highlighting the need for immediate action by security teams. Organizations are advised to consult the KEV Catalog regularly and integrate its findings into their vulnerability management processes. The removal of the Agere Modem driver by Microsoft demonstrates a decisive response to mitigate risk, though it may have operational impacts for some users. The inclusion of vulnerabilities across diverse platforms indicates that attackers are targeting a broad range of technologies. CISA’s ongoing updates to the KEV Catalog reflect its commitment to providing actionable intelligence to protect both federal and private sector networks. The agency’s guidance is clear: prompt remediation of known exploited vulnerabilities is essential to defend against active threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA sets November 4 deadline for federal remediation of six KEV flaws
For the six vulnerabilities added on October 14-15, 2025, CISA required U.S. federal civilian agencies to complete remediation by November 4, 2025. The agency also urged private-sector defenders to prioritize patching and mitigation.
CISA adds Adobe AEM Forms flaw to the KEV catalog
On October 15, 2025, CISA added one more known exploited vulnerability to the KEV catalog, identified in reporting as the Adobe Experience Manager Forms on JEE flaw. This brought the two-day total to six newly listed actively exploited vulnerabilities.
CISA adds five actively exploited vulnerabilities to the KEV catalog
On October 14, 2025, CISA added five known exploited vulnerabilities to its KEV catalog, covering Microsoft Windows, Rapid7 Velociraptor, SKYSEA Client View, and IGEL OS. The additions reflected confirmed real-world exploitation and triggered federal remediation requirements under BOD 22-01.
Adobe releases patch for AEM Forms on JEE zero-day CVE-2025-54253
Adobe issued advisory APSB25-82 and a patch for a critical unauthenticated remote code execution flaw in Adobe Experience Manager Forms on JEE. The vulnerability was described as a zero-day and had public proof-of-concept details available.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CISA Adds Five Known Exploited Vulnerabilities to Catalog
cisa.gov
Open sourceU.S. CISA adds SKYSEA Client View, Rapid7 Velociraptor, Microsoft Windows, and IGEL OS flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Expands KEV Catalog with Six Actively Exploited Vulnerabilities
thecyberthrone.in
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Multiple Actively Exploited Vulnerabilities to Known Exploited Vulnerabilities Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog to include several new security flaws that have been actively exploited in the wild. The newly added vulnerabilities span a wide range of products and platforms, including GNU Bash, Smartbedded Meteobridge, Juniper ScreenOS, Jenkins, Samsung mobile devices, and several legacy products from Mozilla, Microsoft, Linux, and Oracle. Among the most notable is the GNU Bash command injection flaw (CVE-2014-6278), a Shellshock-related vulnerability that allows remote attackers to execute arbitrary code on affected Linux and Unix systems. Juniper ScreenOS is affected by an improper authentication vulnerability (CVE-2015-7755), which can grant attackers administrative access via TELNET or SSH. Jenkins is impacted by a remote code execution bug (CVE-2017-1000353) that enables unauthenticated attackers to bypass deserialization safeguards through crafted Java objects. The Smartbedded Meteobridge device is vulnerable to a command injection issue (CVE-2025-4008), allowing remote, unauthenticated users to execute root-level commands through its web interface. Samsung mobile devices are at risk due to an out-of-bounds write flaw (CVE-2025-21043) in libimagecodec.quram.so, which can be exploited remotely for arbitrary code execution. CISA also added vulnerabilities such as CVE-2010-3765 (Mozilla products), CVE-2010-3962 (Microsoft Internet Explorer), CVE-2011-3402 and CVE-2013-3918 (Microsoft Windows), CVE-2021-22555 (Linux Kernel), CVE-2021-43226 (Microsoft Windows), and CVE-2025-61882 (Oracle E-Business Suite), all of which have evidence of active exploitation. Federal agencies have been directed to remediate these vulnerabilities by a specified deadline to comply with Binding Operational Directive (BOD) 22-01, which mandates timely mitigation of known exploited vulnerabilities. The directive is designed to reduce significant risk to the federal enterprise by ensuring that actively exploited vulnerabilities are addressed promptly. While BOD 22-01 is mandatory for Federal Civilian Executive Branch agencies, CISA strongly encourages all organizations to prioritize remediation of KEV Catalog vulnerabilities as part of their vulnerability management programs. The addition of these vulnerabilities underscores the persistent threat posed by both legacy and modern software flaws, and highlights the importance of continuous monitoring and rapid response to newly discovered exploits. CISA’s ongoing updates to the KEV Catalog serve as a critical resource for organizations seeking to defend against active cyber threats. The agency’s alert emphasizes that these vulnerabilities are frequent attack vectors for malicious actors and pose significant risks if left unaddressed. Organizations are advised to consult the KEV Catalog regularly and implement recommended mitigations to protect their networks. The inclusion of both recent and older vulnerabilities in the catalog reflects the reality that unpatched legacy systems remain a significant target for attackers. CISA’s proactive approach aims to drive widespread remediation efforts across both public and private sectors. The agency will continue to update the KEV Catalog as new evidence of exploitation emerges, reinforcing the need for vigilance and timely patching in cybersecurity operations.
Mar 21, 2026
CISA Adds Multiple Actively Exploited Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding seven high-impact vulnerabilities that are currently being exploited in the wild. This update includes critical flaws affecting Oracle E-Business Suite, Mozilla Firefox, Thunderbird, SeaMonkey, Microsoft Windows, Microsoft Internet Explorer, the Linux Kernel, and Microsoft Windows privilege escalation mechanisms. Among the most severe is CVE-2025-61882, a remotely exploitable vulnerability in Oracle E-Business Suite’s BI Publisher Integration, which allows unauthenticated attackers to compromise the Oracle Concurrent Processing component via HTTP. This flaw, rated CVSS 9.8, has been actively exploited in ransomware campaigns, notably by the Cl0p ransomware group, leading to data theft and potential remote code execution. Oracle responded by releasing an emergency patch for affected versions 12.2.3 through 12.2.14, and organizations are urged to apply this fix immediately and monitor for suspicious HTTP traffic targeting BI Publisher endpoints. Another addition, CVE-2010-3765, is a memory corruption vulnerability in Mozilla products, including Firefox, Thunderbird, and SeaMonkey, which can be exploited via JavaScript to execute arbitrary code. This flaw has been leveraged by the "Belmoo" malware in real-world attacks. Microsoft vulnerabilities added to the catalog include CVE-2011-3402, a TrueType font parsing flaw in the Windows kernel (win32k.sys) that enables remote code execution through malicious font files, and CVE-2010-3962, an uninitialized memory corruption issue in Internet Explorer. CVE-2013-3918, another Microsoft Windows vulnerability, was originally used in the 2009 Aurora attack and later repurposed by the EQUATION group to target government users in Afghanistan. The Linux Kernel vulnerability CVE-2021-22555, a heap out-of-bounds write, and CVE-2021-43226, a Windows privilege escalation flaw, are also included due to their active exploitation and potential for significant impact. CISA’s KEV catalog serves as a critical resource for organizations, highlighting vulnerabilities that require urgent attention due to their exploitation in real-world attacks. Federal agencies are mandated to address these vulnerabilities within a defined timeframe under Binding Operational Directive (BOD) 22-01. The inclusion of both recent and older vulnerabilities underscores the persistent risk posed by unpatched systems, as threat actors continue to exploit legacy flaws alongside newly discovered ones. Security experts emphasize the importance of immediate patching, robust monitoring, and comprehensive vulnerability management to mitigate the risks associated with these actively exploited vulnerabilities. The update reflects ongoing efforts by CISA to enhance the security posture of federal and enterprise environments by ensuring that known exploited vulnerabilities are promptly addressed. Organizations are advised to review the KEV catalog regularly, prioritize remediation of listed vulnerabilities, and implement additional security controls where patching is not immediately feasible. The addition of these vulnerabilities highlights the evolving threat landscape and the need for continuous vigilance against both new and longstanding security weaknesses. CISA’s proactive approach aims to reduce the attack surface and limit the opportunities for threat actors to compromise critical infrastructure. The agency’s guidance is particularly relevant for entities operating Oracle E-Business Suite, Microsoft products, and Linux systems, given the active exploitation of these platforms. The KEV catalog update serves as a call to action for all organizations to assess their exposure and take decisive steps to protect their assets from ongoing cyber threats.
Mar 21, 2026
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
Mar 26, 2026