CISA’s latest update to the Known Exploited Vulnerabilities (KEV) Catalog adds three actively exploited flaws — a Linux kernel TOCTOU race condition, an Android Runtime issue, and a high‑impact Sitecore deserialization vulnerability — forcing organizations that track KEV and federal agencies under BOD 22‑01 to urgently reassess exposure and remediate according to accelerated timelines.
Background / Overview
CISA’s KEV Catalog is a policy‑backed, operational list of Common Vulnerabilities and Exposures (CVEs) that the agency has determined are being actively exploited in the wild. The catalog exists to focus scarce operational resources on vulnerabilities with reliable evidence of exploitation and available mitigations. Under Binding Operational Directive (BOD) 22‑01, Federal Civilian Executive Branch (FCEB) agencies must remediate cataloged CVEs within prescribed deadlines — typically
two weeks for recent CVEs (2021 and later) and
six months for older CVEs unless CISA specifies otherwise. This directive effectively turns threat intelligence into mandatory operational workstreams for federal agencies. On September 4, 2025, CISA added the following entries to the KEV Catalog:
CVE‑2025‑38352 (Linux kernel TOCTOU race condition),
CVE‑2025‑48543 (Android Runtime unspecified vulnerability), and
CVE‑2025‑53690 (Sitecore multiple products — deserialization of untrusted data). The agency’s alert is concise but consequential: each entry is listed because of credible evidence of active exploitation.
Why KEV entries matter for enterprises and Windows admins
CISA’s KEV listings are aimed at federal agencies, but the operational reality is broader: private sector organizations and IT teams should treat KEV inclusions as high‑priority signals. Attackers routinely mix old and new exploits, and many KEV entries affect stacks that touch Windows infrastructure — for example, web servers, reverse proxies, load balancers, and identity stores that integrate with Windows domain services.
- KEV entries reduce the signal‑to‑noise problem in vulnerability triage by highlighting exploited CVEs rather than every high‑scoring finding.
- For organizations that cannot patch immediately, KEV items often require hard decisions: mitigation or isolation until a patch can be applied.
- Windows administrators who manage hybrid environments (Windows servers, Linux appliances, Android devices used for mobile management, and .NET/asp.net web platforms like Sitecore) should treat KEV additions as cross‑domain incidents requiring coordination across endpoint, server, and application teams.
Deep dive: CVE‑2025‑38352 — Linux kernel TOCTOU race condition
What it is
CVE‑2025‑38352 is a race condition in the Linux kernel related to POSIX CPU timers (posix‑cputimers). The vulnerability arises from a Time‑of‑Check Time‑of‑Use (TOCTOU) window between timer handling and timer deletion routines, where an exiting task may be reaped while concurrent timer deletion is in progress — enabling inconsistent internal state that can lead to kernel instability or privilege escalation. The fix applied in kernel trees adds an extra task exit‑state check to prevent this race. (
wiz.io)
Why it matters now
Kernel race conditions are attractive to attackers because they can be leveraged for local privilege escalation or to destabilize a host (denial‑of‑service). When such a flaw is present in kernels used by edge systems, cloud instances, container hosts, or Android device kernels, exploitation can become a practical pathway to escalate from an unprivileged process to system or root privileges. CISA’s KEV addition indicates evidence of real‑world exploitation or telemetry consistent with active abuse, which elevates the operational priority of this bug beyond a routine kernel patch. (
cisa.gov, nvd.nist.gov, wiz.io, cisa.gov,
helpnetsecurity.com)
Operational impact
ART vulnerabilities are significant because they can be leveraged by malicious applications to escape sandbox restrictions or escalate privileges, enabling access to data or capabilities that should be out of reach for third‑party apps. If an attacker can install or coerce installation of a malicious app — or exploit a preinstalled app with writeable attack surfaces — they may be able to pivot from a limited app context into a broader device compromise.
Vendor action and mitigation
- Google shipped fixes in the September 2025 Android security update; OEMs and device makers are releasing platform updates or patches for affected models. Organizations should prioritize installing these patches for managed Android fleets. (helpnetsecurity.com)
- Where immediate patching isn’t feasible, restrict app installation sources, enforce mobile‑device management (MDM) policies that block untrusted apps, and apply runtime app protections (e.g., app‑allowlists, privilege restriction profiles).
- Monitor mobile threat intelligence feeds for Indicators of Compromise (IoCs) tied to the active exploitation described by vendors. CISA’s KEV listing implies exploitation telemetry exists but typically does not include exploit code or full technical details.
Deep dive: CVE‑2025‑53690 — Sitecore deserialization of untrusted data (ViewState)
Technical summary
CVE‑2025‑53690 is a deserialization (ViewState) vulnerability affecting multiple Sitecore products — including Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) — when deployments used a publicly known or sample ASP.NET machine key. Attackers who possess or can guess the machine key can craft malicious ViewState payloads that the application will deserialize, leading to remote code execution (RCE). The vulnerability was observed in active exploitation where attackers delivered ViewState payloads that achieved RCE and installed reconnaissance and post‑exploitation tools. (
securityweek.com)
Track record and observed attacks
Mandiant was involved in incident response that disrupted the attack, and multiple security outlets reported that attackers exploited an exposed sample machine key in deployment guides dating back several years. The exploit chain focused on the /sitecore/blocked.aspx endpoint (a page that uses a hidden ViewState form) and used WeepSteel (or similarly named tooling) in post‑exploit stages to harvest configuration data and move laterally. Observers reported the attackers archived web application directories, staged open source tools for tunneling and remote access, and attempted credential theft and lateral escalation. Because incident responders interrupted the intrusions, the full scope of the campaign remains unknown, but the immediate danger is clear: internet‑facing Sitecore instances deployed with non‑unique machine keys were reliably exploitable. (
securityweek.com, helpnetsecurity.com, helpnetsecurity.com, helpnetsecurity.com, wiz.io, cisa.gov, cisa.gov, cisa.gov, CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA