CISA Adds Apple WebKit and Gladinet CentreStack Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-43529, a use-after-free vulnerability in Apple’s WebKit engine affecting multiple Apple products, and CVE-2025-14611, a hard-coded cryptographic vulnerability in Gladinet CentreStack and Triofox. These vulnerabilities have been identified as significant risks due to evidence of active exploitation, prompting CISA to require Federal Civilian Executive Branch agencies to remediate them by specified deadlines under Binding Operational Directive 22-01. CISA also strongly encourages all organizations, not just federal agencies, to prioritize remediation of these vulnerabilities to reduce exposure to cyberattacks.
Recent reports indicate that the Apple WebKit vulnerability (CVE-2025-43529) has been exploited in highly targeted attacks, likely involving nation-state actors and commercial spyware vendors, with a focus on high-value individuals. Apple and Google both released urgent security updates in response to these attacks, though details remain limited. The WebKit flaw allows attackers to trigger memory corruption through specially crafted web content, potentially leading to arbitrary code execution. The Gladinet CentreStack and Triofox vulnerability involves hard-coded cryptographic keys, which could be leveraged by attackers to compromise affected systems. Organizations are urged to apply available patches and follow CISA’s guidance to mitigate these threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Federal agencies ordered to remediate the two KEV flaws by Jan. 5
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate the newly added Apple and Gladinet vulnerabilities by 2026-01-05. CISA also strongly encouraged non-federal organizations to patch or mitigate the issues promptly.
CISA adds Apple WebKit and Gladinet flaws to KEV Catalog
CISA added CVE-2025-43529 in Apple WebKit and CVE-2025-14611 in Gladinet CentreStack and Triofox to its Known Exploited Vulnerabilities Catalog after evidence of active exploitation. The agency said the flaws pose significant risk and urged organizations to prioritize remediation.
Apple and Google release updates for exploited Apple WebKit flaw
Apple and Google released urgent security updates for CVE-2025-43529, a use-after-free vulnerability in Apple WebKit, after highly targeted attacks that were likely linked to nation-state actors or commercial spyware vendors. The flaw could allow arbitrary code execution on affected Apple products.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CISA Warns of Gladinet CentreStack and Triofox Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceCISA Adds Gladinet Crypto Flaw and Apple WebKit Zero-Days to KEV Catalog
thecyberthrone.in
Open sourceCISA Adds Two Known Exploited Vulnerabilities to Catalog
cisa.gov
Open sourceU.S. CISA adds Apple and Gladinet CentreStack and Triofox flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in **SolarWinds Web Help Desk** (`CVE-2025-40536`) with an accelerated patch deadline, alongside additional KEV additions affecting **Apple** platforms (iOS, macOS, tvOS, watchOS, visionOS), **Microsoft** products, and **Notepad++**. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with **Google Threat Analysis Group** credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days. Separate reporting highlighted the broader operational context driving these directives: **Microsoft’s February security update** addressed **59 vulnerabilities**, including **six zero-days under active exploitation**, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to **remove unsupported network edge devices** (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
Mar 21, 2026
CISA Adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox Vulnerabilities to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include three newly identified vulnerabilities: an out-of-bounds write in WatchGuard Firebox OS (`CVE-2025-9242`), a race condition in the Microsoft Windows kernel (`CVE-2025-62215`), and improper access control in Gladinet Triofox (`CVE-2025-12480`). These vulnerabilities have been added due to evidence of active exploitation, with risks ranging from remote code execution on network appliances to privilege escalation on Windows systems and unauthorized access to sensitive setup functions in Triofox. CISA emphasizes the critical nature of these flaws and urges immediate patching and mitigation to prevent exploitation. Federal Civilian Executive Branch (FCEB) agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified deadlines, but CISA also strongly recommends that all organizations prioritize addressing these issues as part of their vulnerability management programs. The addition of these CVEs to the KEV Catalog highlights their significance as attack vectors and the ongoing threat they pose to both government and private sector networks. Organizations should verify their exposure and apply all relevant security updates without delay.
Mar 21, 2026
CISA Expands KEV Catalog With Broad Wave of Actively Exploited Enterprise Flaws
CISA repeatedly expanded its **Known Exploited Vulnerabilities (KEV) Catalog** after confirming active exploitation across a wide range of products, including Apple platforms, Ivanti EPM and EPMM, SolarWinds Web Help Desk, Omnissa Workspace ONE, n8n, Google Chromium and Skia, Wing FTP Server, Zimbra, Cisco firewall management products, Langflow, Aqua Security Trivy, F5 BIG-IP, Fortinet FortiClient EMS, Microsoft Exchange, SharePoint, Windows, Defender, Adobe Acrobat/Reader, Apache ActiveMQ, Trend Micro Apex One, Palo Alto PAN-OS, and other enterprise software. Several entries were especially notable because they involved **remote code execution, code injection, deserialization, authentication bypass, privilege escalation, and supply-chain-style malicious code risks**, while CISA also highlighted active exploitation of older legacy Microsoft and Adobe flaws that remain dangerous on unpatched or end-of-life systems. Reporting tied some of the newly listed issues to concrete attack activity and elevated operational risk. Apple flaws added to KEV were reported as exploitable through malicious web content or apps and could lead to arbitrary code execution or kernel-level execution, while the critical Langflow bug `CVE-2025-34291` was described as enabling session hijacking, token theft, persistence, and possible full system compromise in AI workflow deployments; separate reporting said the Iranian threat actor **MuddyWater** used it for initial access. Trend Micro said it observed at least one attempted in-the-wild exploitation of its Apex One flaw, and coverage of Ivanti vulnerabilities warned that defenders should not rely solely on shared indicators of compromise. Under **Binding Operational Directive 22-01**, Federal Civilian Executive Branch agencies were ordered to remediate each KEV-listed flaw by assigned deadlines, and CISA urged all organizations to apply vendor fixes or mitigations immediately and discontinue affected products if no mitigation is available.
Jun 16, 2026