The addition of five new vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) Catalog arrives at a pivotal moment for both enterprise and individual cybersecurity stakeholders. As the digital landscape expands and cybercriminal tactics evolve, the significance of quickly identifying and patching newly exploited vulnerabilities cannot be overstated. With this latest update, the KEV Catalog once again proves its vital role as a central hub for threat intelligence, shaping remediation strategies for organizations across every sector.
CISA’s decision to append the following vulnerabilities to its KEV Catalog is not arbitrary; each has been observed under active exploitation, posing demonstrable risk:
While this specific remediation mandate is legally binding only for FCEB agencies, CISA strongly encourages all organizations—public and private—to prioritize the timely remediation of KEV-listed vulnerabilities. The rationale is clear: cyber attackers routinely leverage known exploits as first-stage intrusions before escalating privileges, deploying malware, or exfiltrating data.
In practical terms, organizations should:
For Craft CMS, targeted exploitation has included both defacement campaigns and more sophisticated breaches aimed at stealing credentials or installing webshells for persistence.
These cases reinforce the rationale behind the KEV approach: by flagging vulnerabilities when they move from theoretical to practical exploitation, CISA provides organizations with actionable intelligence that goes far beyond “just patch everything.”
However, the community must remain vigilant to the limitations of even the best-curated catalogs. Timely intelligence-sharing, partnership between public and private sectors, and investment in automated patch management are essential pillars for maximal security.
CISA’s ongoing commitment to updating the KEV Catalog, alongside guidance from other trusted entities like the NVD and MITRE, creates a robust foundation. But it is incumbent on every IT leader, system administrator, and business owner to operationalize this intelligence—translating knowledge into action before malicious actors exploit the window of opportunity.
The path forward is clear. Organizations must combine technical diligence with operational agility, integrating threat intelligence, continuous monitoring, and automated patching. Only by doing so can we collectively shift the balance, making it increasingly difficult—and less rewarding—for cybercriminals to exploit known, patchable weaknesses.
In an era where the speed of patching often determines the fate of entire networks, staying informed—and acting on that information—may be the strongest defense of all.
Source: CISA CISA Adds Five Known Exploited Vulnerabilities to Catalog | CISA
A Closer Look at the Latest Additions
CISA’s decision to append the following vulnerabilities to its KEV Catalog is not arbitrary; each has been observed under active exploitation, posing demonstrable risk:- CVE-2021-32030: ASUS Routers Improper Authentication Vulnerability
- CVE-2023-39780: ASUS RT-AX55 Routers OS Command Injection Vulnerability
- CVE-2024-56145: Craft CMS Code Injection Vulnerability
- CVE-2025-3935: ConnectWise ScreenConnect Improper Authentication Vulnerability
- CVE-2025-35939: Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Dissecting Individual Vulnerabilities
ASUS Routers: A Repeat Target
The inclusion of two ASUS router vulnerabilities, CVE-2021-32030 and CVE-2023-39780, highlights a recurring trend in attacker focus. Routers, often the most exposed devices in a network, have long been targets due to their central role in managing data flow and authentication.- CVE-2021-32030 exploits improper authentication, allowing unauthenticated remote attackers to potentially access administrative functions. According to the National Vulnerability Database (NVD), this flaw arises due to incomplete validation during the login process—a critical oversight for any device responsible for network perimeter defense.
- CVE-2023-39780 centers on the RT-AX55 model and involves OS command injection. By exploiting unsanitized inputs, attackers can execute arbitrary commands, often with elevated privileges. Public exploit scripts and scanning activity have been observed, underlining the urgency of mitigation.
Craft CMS: The Business Web at Risk
Two of the latest KEV entries pertain to Craft CMS, a popular platform for building flexible enterprise websites.- CVE-2024-56145 denotes a code injection flaw, wherein crafted inputs can alter application execution. This could allow attackers to manipulate content, access sensitive data, or leverage trusted infrastructure for further attacks.
- CVE-2025-35939 involves external control of assumed-immutable web parameters, a class of vulnerability where attackers tamper with parameters thought to be static or secure. In Craft CMS, this might enable privilege escalation or bypass of access controls, depending on implementation details.
ConnectWise ScreenConnect: The Remote Administration Headache
Remote access tools are doubly dangerous when found vulnerable, as they offer attackers both a landing point and lateral mobility within compromised networks.- CVE-2025-3935 affects ConnectWise ScreenConnect with improper authentication weakness. Exploited in the wild, such flaws allow threat actors to establish persistent, undetected footholds in environments relying on this remote support product.
The Context: KEV Catalog and Binding Operational Directive 22-01
The significance of these vulnerabilities being added to the KEV Catalog stems from the authority and operational mandates attached to it. The KEV Catalog is not merely a list; it is a directive-guided resource under the auspices of CISA’s Binding Operational Directive 22-01 (BOD 22-01), “Reducing the Significant Risk of Known Exploited Vulnerabilities.” BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate cataloged vulnerabilities within defined timeframes, fortifying networks against active, known threats.While this specific remediation mandate is legally binding only for FCEB agencies, CISA strongly encourages all organizations—public and private—to prioritize the timely remediation of KEV-listed vulnerabilities. The rationale is clear: cyber attackers routinely leverage known exploits as first-stage intrusions before escalating privileges, deploying malware, or exfiltrating data.
How the KEV Catalog Shapes Enterprise Security Posture
The living nature of the KEV Catalog means it is continuously updated in response to new intelligence from security researchers, vendors, and incident response teams. By requiring prompt patching or mitigation of listed CVEs, CISA's directive forces agencies to operationalize vulnerability management rather than treat it as a theoretical practice.In practical terms, organizations should:
- Integrate the KEV Catalog into their existing vulnerability management workflows, automating detection, prioritization, and patching where possible.
- Monitor CISA and vendor advisories for fresh entries and associated mitigation recommendations.
- Test patches in non-production environments to ensure business continuity, especially when dealing with core infrastructure like routers or CMS platforms.
Notable Strengths: Why the KEV Catalog Matters
1. Evidence-Based, Not Theoretical
Unlike generic vulnerability databases that list all reported CVEs, the KEV Catalog restricts itself to actively exploited flaws. This focus ensures that organizations direct resources toward vulnerabilities that represent immediate, proven risk, rather than being overwhelmed by low-severity or proof-of-concept issues.2. Mandated Remediation and Accountability
By issuing BOD 22-01, CISA transformed vulnerability management from an aspirational goal into a concrete operational requirement—at least for FCEB agencies. This accountability drives up the overall security baseline and provides a model for other sectors to emulate.3. Agility and Timeliness
The rapid addition of newly-exploited vulnerabilities demonstrates an agile response to shifting threat patterns. In recent years, “zero-day” and “n-day” attacks have grown in frequency, with attackers exploiting vulnerabilities within hours of public disclosure. The KEV Catalog’s update cadence is designed to match this speed.4. Transparency and Collaboration
The Catalog is publicly accessible and updated with explicit CVE references, remediation guidance, and due dates for federal agencies. This transparency fosters greater collaboration between government, private industry, and the broader security research community.5. Demonstrated Real-World Impact
Empirical studies have shown that organizations adhering to KEV-based patching priorities experience fewer incidents involving publicly exploited vulnerabilities. CISA’s own reporting, along with independent assessments by cybersecurity consultancies, supports this claim.Critiques and Risks: The Challenges Ahead
While the KEV Catalog brings significant benefits, several challenges and potential risks warrant consideration.1. Scope Limitations: Not All Sectors Mandated
BOD 22-01 is enforceable only within FCEB agencies. Though advisories urge wider adoption, private organizations and other public sector entities (like state and local governments) may not prioritize KEV remediation to the same extent, leaving systemic gaps.2. Patch Management Complexities
Applying security patches isn’t always straightforward, especially for mission-critical systems with complex dependencies or outdated hardware/software. Hasty patching can introduce operational disruptions, particularly with networking equipment like ASUS routers or CMS backends that support e-commerce and core functions.3. Vendor Responsiveness and Support
For some vulnerabilities, especially those affecting older or obscure product lines, vendor-issued security updates may lag behind exploit activity. Organizations must sometimes rely on temporary workarounds, such as firewall rules or disabling vulnerable features, which may offer incomplete protection.4. Resource Constraints
For small and medium-sized businesses, the ability to monitor, prioritize, test, and remediate KEV entries at the pace of the catalog’s updates can outstrip available IT resources and expertise.5. The N-Day Dilemma
While the KEV Catalog is focused on actively exploited vulnerabilities, attackers often pivot quickly to “n-day” (recently patched but still widely unpatched) flaws. Organizations relying strictly on catalog entries may neglect patching vulnerabilities that are not yet listed but remain at high risk of exploitation.The Real-World Impact: Recent Trends and Exploitation
The active exploitation of the newly listed vulnerabilities has been corroborated by incident response teams and security researchers globally. For example, mass scanning for vulnerable ASUS routers has been documented in the days following the publication of proof-of-concept executables on security forums. Similarly, attacks against ConnectWise ScreenConnect have been observed chaining authentication bypass flaws to deploy ransomware payloads, as seen in recent open disclosure reports.For Craft CMS, targeted exploitation has included both defacement campaigns and more sophisticated breaches aimed at stealing credentials or installing webshells for persistence.
These cases reinforce the rationale behind the KEV approach: by flagging vulnerabilities when they move from theoretical to practical exploitation, CISA provides organizations with actionable intelligence that goes far beyond “just patch everything.”
Actionable Recommendations for Organizations
While the KEV Catalog is primarily designed for federal agencies, it should drive the security practices of every organization that values network resilience and data protection. Here are key steps to integrate the KEV intelligence into your vulnerability management practice:1. Subscribe to KEV Alerts
Monitor the official KEV Catalog for real-time updates. Complement official sources with industry feeds that provide patch advisories and exploitation trends relevant to your sector.2. Automate Vulnerability Scanning
Configure network and host-based vulnerability scanners to flag KEV-associated CVEs. Many enterprise scanning tools now integrate directly with KEV metadata, allowing for automated alerting and risk scoring.3. Prioritize Patch Management
Establish clear escalation processes for KEV-listed vulnerabilities. Ensure that both IT and business leadership understand the heightened risk associated with these flaws, allocating resources accordingly for urgent remediation.4. Harden Exposed Services
Where remediation (e.g., patching or firmware upgrades) is not feasible due to operational constraints, deploy compensating controls—such as restricting network access, enabling multi-factor authentication on administrative interfaces, and enhancing monitoring for suspicious activity.5. Exercise Incident Response Readiness
Given that exploitation may precede widespread disclosure, ensure your incident response teams are briefed on emerging KEV entries and ready to investigate unusual activity related to affected products.6. Participate in Information Sharing
Engage with sector-specific Information Sharing and Analysis Centers (ISACs), and provide anonymous feedback—as encouraged by CISA—to improve the relevance and responsiveness of vulnerability advisories.Sector-Specific Implications
For Government Agencies
Compliance with BOD 22-01 is non-negotiable, and the risks are compounded by the critical nature of systems involved. Agencies should allocate dedicated resources for continuous KEV monitoring and patching, conduct regular audits, and ensure supply-chain partners adhere to similar standards.For Private Enterprises
This catalog represents an opportunity to benchmark vulnerability management against the highest federal standards. Prioritizing KEV-listed flaws can materially reduce the likelihood of catastrophic breaches, regulatory fines, and reputational damage.For Home Users and SMBs
Routers and CMS platforms are frequently targeted entry points for home offices and small businesses. While resources may be limited, prioritizing vendor-supplied security updates for these products, disabling unnecessary remote access, and securing default credentials are crucial, first-step defenses.Looking Ahead: The Evolving Threat Landscape
As cyber threats advance in sophistication and speed, organizations must move from reactive to proactive security postures. The KEV Catalog represents a practical embodiment of this shift. It does not merely list possible vulnerabilities; it signals which holes are already being exploited outside laboratory environments.However, the community must remain vigilant to the limitations of even the best-curated catalogs. Timely intelligence-sharing, partnership between public and private sectors, and investment in automated patch management are essential pillars for maximal security.
CISA’s ongoing commitment to updating the KEV Catalog, alongside guidance from other trusted entities like the NVD and MITRE, creates a robust foundation. But it is incumbent on every IT leader, system administrator, and business owner to operationalize this intelligence—translating knowledge into action before malicious actors exploit the window of opportunity.
Conclusion
The latest additions to CISA’s Known Exploited Vulnerabilities Catalog serve as a clarion call: prioritize the vulnerabilities that are being actively used against real-world targets. While focused on the federal sector, the recommendations and intelligence within the KEV Catalog have universal applicability.The path forward is clear. Organizations must combine technical diligence with operational agility, integrating threat intelligence, continuous monitoring, and automated patching. Only by doing so can we collectively shift the balance, making it increasingly difficult—and less rewarding—for cybercriminals to exploit known, patchable weaknesses.
In an era where the speed of patching often determines the fate of entire networks, staying informed—and acting on that information—may be the strongest defense of all.
Source: CISA CISA Adds Five Known Exploited Vulnerabilities to Catalog | CISA
