CISA Adds 5 KEVs: Apple Buffer Overflow, Code Injections Exploited

CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog by adding five new vulnerabilities, each confirmed to be under active exploitation. This update highlights a critical risk to federal civilian executive branch (FCEB) agencies and strongly advises all organizations to prioritize immediate remediation. These types of vulnerabilities are frequently leveraged by malicious cyber actors as initial attack vectors, underscoring the urgency of patching.

According to CISA, the addition of these five CVEs to the KEV Catalog signifies that they pose significant risk, warranting urgent attention from security teams. The KEV Catalog serves as a definitive list of vulnerabilities that have been observed in real-world attacks, providing a clear directive for remediation efforts.

Technical Analysis of Newly Added KEVs

The latest additions to the KEV Catalog include critical vulnerabilities affecting widely used software and platforms:

• CVE-2025-31277 (Apple Multiple Products Buffer Overflow Vulnerability): This flaw affects various Apple products and is characterized as a buffer overflow. Such vulnerabilities can lead to arbitrary code execution or denial of service if successfully exploited, allowing attackers to compromise system integrity or availability.
• CVE-2025-32432 (Craft CMS Code Injection Vulnerability): A severe code injection vulnerability impacting Craft CMS. Code injection allows an attacker to execute arbitrary code on the server, potentially leading to full system compromise, data exfiltration, or the deployment of ransomware. Organizations utilizing Craft CMS should seek guidance on how to detect CVE-2025-32432 exploit attempts and apply patches immediately.
• CVE-2025-43510 (Apple Multiple Products Improper Locking Vulnerability): Another vulnerability affecting multiple Apple products, involving improper locking mechanisms. While specifics are limited, improper locking can lead to race conditions, enabling attackers to bypass security controls or achieve privilege escalation.
• CVE-2025-43520 (Apple Multiple Products Classic Buffer Overflow Vulnerability): Similar to CVE-2025-31277, this is a classic buffer overflow impacting Apple products. These flaws are often exploited for RCE by overwriting memory and redirecting execution flow.
• CVE-2025-54068 (Laravel Livewire Code Injection Vulnerability): This vulnerability affects Laravel Livewire, a full-stack framework for Laravel. Code injection in such a framework is highly dangerous, offering a direct path for attackers to execute malicious commands on the server. Organizations running Laravel Livewire should prioritize this fix to prevent full system compromise.

These vulnerabilities represent a diverse set of attack vectors, from memory corruption issues in operating systems and applications to direct code execution vulnerabilities in web content management systems and development frameworks. The common thread is their active exploitation in the wild, which elevates their risk profile significantly.

Actionable Recommendations for Remediation and Prevention

CISA’s Binding Operational Directive (BOD) 22-01 mandates FCEB agencies to remediate identified vulnerabilities in the KEV Catalog by specified due dates. While this directive specifically applies to federal entities, CISA strongly urges all organizations to adopt a similar proactive stance. The timely remediation of KEV Catalog vulnerabilities must be a top priority within any robust vulnerability management program.

Prioritizing Patching and Updates

• Immediate Patch Deployment: For all listed CVEs, apply available patches and updates from Apple, Craft CMS, and Laravel Livewire vendors without delay. Establish a rapid patching cycle for critical vulnerabilities, especially those with confirmed exploitation.
• Automated Scanning: Implement regular, automated vulnerability scanning across your infrastructure to identify unpatched systems. Integrate these scans with your SIEM for consolidated visibility.
• Asset Inventory: Maintain an accurate and up-to-date inventory of all software and hardware assets to ensure no vulnerable systems are overlooked during remediation efforts. This is crucial for managing the impact of vulnerabilities like the Apple multiple products buffer overflow patch.

Enhance Detection and Response Capabilities

• Network Monitoring: Deploy intrusion detection/prevention systems (IDS/IPS) to monitor for suspicious network activity indicative of exploitation attempts. Focus on egress traffic for signs of C2 communication or data exfiltration.
• Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and respond to post-exploitation activities, such as unusual process execution, file modifications, or lateral movement within your environment.
• IoC Integration: Integrate any public or threat intelligence-derived Indicators of Compromise into your security tools to enhance detection capabilities for known attack TTPs.

Strengthen Security Posture

• Principle of Least Privilege: Implement the principle of least privilege for all users and services to limit the potential impact of a successful exploit.
• Network Segmentation: Segment networks to contain potential breaches and prevent attackers from easily moving between different parts of your infrastructure.
• Regular Backups: Implement a robust backup strategy and test restoration procedures regularly. This is a critical last line of defense against data loss due to successful attacks.

By adopting these recommendations, organizations can significantly reduce their attack surface and improve their resilience against actively exploited vulnerabilities, safeguarding their networks and data from malicious actors.