CISA Adds Three Exploited CVEs to KEV Catalog: IE, Excel, WinRAR (2025)

CISA’s latest update places three long‑standing and newly discovered flaws squarely in the crosshairs of enterprise defenders, adding CVE‑2013‑3893 (Internet Explorer), CVE‑2007‑0671 (Microsoft Excel), and CVE‑2025‑8088 (WinRAR) to the agency’s Known Exploited Vulnerabilities (KEV) Catalog on August 12, 2025 — a move that forces federal agencies onto accelerated remediation timelines and raises the bar for private‑sector vulnerability management. (cisa.gov)

Background: why the KEV Catalog matters now​

CISA’s KEV Catalog was created under Binding Operational Directive (BOD) 22‑01 to focus remediation resources on vulnerabilities that are demonstrably being used in real‑world attacks. The directive requires federal civilian executive branch (FCEB) agencies to remediate cataloged vulnerabilities on strict timelines and encourages all organizations to treat KEV entries as top priorities. The KEV only lists CVEs with (1) an assigned CVE ID, (2) reliable evidence of active exploitation, and (3) clear remediation guidance. (cisa.gov)
That policy focus is important because it shifts scarce operational effort away from theoretical high‑score CVEs and toward the smaller set of flaws attackers are actively exploiting. For organizations that manage mixed fleets of legacy and modern systems, the KEV list is a practical triage tool — but it can also create acute operational pain when older products are flagged and patches or mitigations are incomplete.

---

What CISA added on August 12, 2025​

CISA’s alert dated August 12, 2025, lists three CVEs now treated as KEVs:

• CVE‑2013‑3893 — Microsoft Internet Explorer Resource Management Errors (mshtml use‑after‑free). (cisa.gov)
• CVE‑2007‑0671 — Microsoft Office Excel Remote Code Execution (malformed record vulnerability). (cisa.gov)
• CVE‑2025‑8088 — RARLAB WinRAR Path Traversal (directory traversal / ADS exploitation). (cisa.gov)

Each entry meets CISA’s criteria for active exploitation and available remediation — the former based on telemetry and vendor reports, the latter through vendor patches or mitigation guidance in most cases. The presence of both decade‑old and recent CVEs in this single KEV update highlights a recurring theme: attackers mix old, effective techniques with new zero‑days to bypass defenses.

---

Deep dive: CVE‑2013‑3893 (Internet Explorer / mshtml)​

What the vulnerability is​

CVE‑2013‑3893 is a use‑after‑free vulnerability in Microsoft’s mshtml (Trident) rendering engine that can be triggered via crafted javascript and specially constructed content, allowing remote code execution in the context of the logged‑in user. The issue was originally disclosed in 2013 and addressed by Microsoft in MS13‑080, which documented the underlying memory corruption and published mitigations. (learn.microsoft.com, app.opencve.io)

Why it’s back in the spotlight​

Although Internet Explorer usage has dropped precipitously over the years, mshtml is embedded in multiple legacy systems and third‑party products (including enterprise web applications, embedded viewers, and compatibility layers). CISA’s decision to add CVE‑2013‑3893 signals that threat actors have found practical attack paths — often via legacy integrations, email attachments, or weaponized documents — making the vulnerability relevant again despite its age. This is consistent with past targeted campaigns where older browser flaws saw renewed exploitation against unpatched or poorly isolated environments. (cisa.gov, app.opencve.io)

Mitigation and verification​

Microsoft’s original guidance included a Fix‑It workaround and later patching in MS13‑080. Organizations still running IE‑dependent systems should review legacy browser usage, disable or block mshtml‑based components where feasible, and apply available OS and browser updates. For systems that cannot be patched immediately, isolation and application whitelisting remain critical compensating controls. The original Microsoft advisories remain authoritative for technical details. (learn.microsoft.com, app.opencve.io)

---

Deep dive: CVE‑2007‑0671 (Microsoft Excel)​

What the vulnerability is​

CVE‑2007‑0671 is a well‑known Excel vulnerability that allows remote code execution when Excel opens a specially crafted workbook. Microsoft documented it in Security Bulletin MS07‑015; at disclosure it was already being exploited in the wild. The flaw stems from malformed record parsing, enabling execution of attacker‑supplied code under the privileges of the user who opens the file. (learn.microsoft.com, nvd.nist.gov)

Why this matters in 2025​

This CVE predates many modern defenses and persists in environments where legacy Office versions remain in use, particularly in government, industrial, or regulated sectors that are slower to upgrade. The addition to the KEV Catalog indicates renewed, observable exploitation — most likely via targeted email lures or malicious attachments — and therefore immediate risk for organizations that allow Office file ingestion without robust scanning, sandboxing, or user restrictions. (cisa.gov, learn.microsoft.com)

Mitigation and verification​

MS07‑015 provides the historical patching guidance. Modern mitigations include disabling macros by default, restricting opening of legacy file formats, employing Office file sanitization and sandboxing, and using email gateway checks to block malicious attachments. Where unpatched Office versions persist, isolating machines that must run them is a practical interim control. NVD and Microsoft advisory records corroborate the technical nature and exploitability of this vulnerability. (learn.microsoft.com, nvd.nist.gov)

---

Deep dive: CVE‑2025‑8088 (WinRAR path traversal)​

What the vulnerability is​

CVE‑2025‑8088 is a newly publicized path traversal/alternate‑data‑stream (ADS) exploitation affecting WinRAR components (WinRAR for Windows, UnRAR.dll). ESET researchers discovered the zero‑day in July 2025, documenting attacker usage that places malicious files into sensitive locations during extraction — including autorun paths — enabling persistence and payload execution. WinRAR released version 7.13 to address the issue; however, WinRAR does not implement auto‑update, so manual patching is required. (welivesecurity.com, tomshardware.com)

Evidence of exploitation​

ESET’s analysis ties the flaw to active campaigns by the Russia‑linked group often tracked as RomCom (UNC2596/Storm‑0978), showing weaponized RAR archives used in spear‑phishing and targeted espionage. Independent reporting from industry outlets corroborates these findings and emphasizes the urgency because attackers were observed deploying backdoors via the exploit. These independent confirmations (ESET + major security press) satisfy CISA’s requirement for reliable evidence of active exploitation. (welivesecurity.com, techradar.com, tomshardware.com)

Mitigation and verification​

WinRAR’s publisher published patched builds; users must manually update to WinRAR 7.13 or later and ensure any software bundles that rely on UnRAR.dll are likewise updated. Additional mitigations include treating incoming archives from untrusted sources with suspicion, inspecting RAR contents in sandboxes before extraction, and employing endpoint detection rules that flag abnormal autorun writes. ESET’s technical write‑up and contemporaneous reporting provide two independent verification points for both the vulnerability and exploitation. (welivesecurity.com, tomshardware.com)

---

Operational impact: why mixed‑age CVEs are the hardest to fix​

Organizations face three recurring operational challenges when KEV entries include both legacy and modern flaws:

• Patch availability vs. deployment friction. Older products may have patches, but applying them risks breaking legacy workflows. Where patches are unavailable, removal or isolation is necessary. (cisa.gov)
• Asset visibility. Many enterprises lack a complete inventory of systems that embed older components like mshtml or UnRAR.dll, making prioritization difficult without accurate asset data. (cisa.gov)
• Human factors. Attackers exploit user behavior (opening attachments, extracting archives) that automated tooling alone may not prevent; training and policy enforcement are still necessary complements to technical controls.

Windows forum communities and IT teams have reacted quickly to KEV updates, trading remediation playbooks and patching experiences — a sign that operators are already triaging these entries across heterogeneous environments.

---

Practical remediation checklist (prioritized, tactical)​

• Inventory and identification
• Map all systems that run legacy Internet Explorer components, older Office installations, and applications that bundle UnRAR.dll. Use EDR and software inventory tools to find deployed libraries and binary versions.
• Apply vendor patches where available
• WinRAR: manually update to version 7.13 or later.
• Microsoft: ensure affected Windows and Office patches from MS13‑080 and MS07‑015 (historical advisories) are applied or mitigation controls are in place. (welivesecurity.com, learn.microsoft.com)
• Isolate systems that cannot be patched immediately
• Network segmentation, removal from sensitive networks, or staging behind strict proxies reduces exploitation risk while remediation is planned. (cisa.gov)
• Apply temporary mitigations
• Block or filter suspicious RAR attachments at mail gateways, disable legacy file handling in Office, and restrict or sandbox archive extraction on endpoints.
• Enhance detection
• Deploy YARA/EDR rules to flag unusual writes to autorun locations or extraction of ADS‑based filenames; tune IDS/endpoint telemetry to alert on mshtml crashes and odd Excel process behavior.
• Communicate and document
• Notify stakeholders, track remediation progress per BOD 22‑01 timelines (for federal entities), and log compensating controls for auditors. (cisa.gov)

---

Risk analysis: strengths and weaknesses of CISA’s approach​

• Strengths: The KEV catalog’s laser focus on observed exploitation materially reduces the operational noise for defenders. By requiring concrete evidence before listing a CVE, CISA ensures urgency is reserved for real threats rather than hypothetical worst‑case issues. The KEV’s mandate and timelines have also driven better cross‑agency patching discipline. (cisa.gov)
• Weaknesses and risks: The KEV can create acute resource pressure when it includes widely deployed legacy components, forcing rushed upgrades that may break critical services. There is also the perennial challenge of reactive bias: attackers often scan the KEV list and adapt, weaponizing unlisted but related flaws or chaining lower‑visibility CVEs with KEV entries. Finally, vendor patching behavior — especially for products without auto‑update (e.g., WinRAR) — can slow mitigation uptake. (welivesecurity.com, cisa.gov)

---

What organizations should prioritize now (strategic guidance)​

• Treat KEV entries as immediate priorities within your vulnerability management program and map them against critical business assets. Use the KEV Catalog as an input to your risk model, not the only input. (cisa.gov)
• Build or maintain a precise software bill of materials (SBOM) and runtime inventory. Identifying where mshtml or UnRAR.dll are present is half the battle.
• Automate patch orchestration and testing pipelines where possible. Manual updates (WinRAR) require endpoint coordination and communications to prevent stale installs.
• Adopt layered defenses: network segmentation, email attachment sanitization, application allow‑listing, and robust EDR detection are all necessary to defend against both zero‑day exploitation and social engineering that triggers legacy bugs.
• For organizations under BOD 22‑01, document remediation steps and reporting to comply with timelines. For others, adopt similar internal SLAs to reduce attack surface quickly. (cisa.gov)

---

Community response and operational anecdotes​

Windows‑focused IT communities have already circulated practical mitigations and staging plans for these KEV additions. Forum threads demonstrate sysadmins swapping cronjobs for mass WinRAR updates, creating Office sandboxing rules, and auditing mshtml dependencies in legacy web apps. This fast information‑sharing helps organizations avoid duplicated effort and exposes pitfalls (for example, third‑party tools bundling old UnRAR builds) that otherwise slow remediation.

---

Caveats and unverifiable areas​

• While CISA’s alert states these CVEs were added based on evidence of active exploitation, the publicly available technical details for some incidents (particularly targeted campaigns) may be incomplete due to confidentiality and ongoing investigations. Where public technical write‑ups exist (e.g., ESET for CVE‑2025‑8088), they corroborate exploitation; in other cases, attribution and full weaponization chains remain internal to incident responses. These gaps mean defenders should assume practical exploitable vectors exist even if complete exploit code is not public. (welivesecurity.com, cisa.gov)
• Historic CVEs like CVE‑2007‑0671 and CVE‑2013‑3893 have long advisory trails; some published mitigations date back many years. However, their inclusion in KEV implies recent, observable exploitation — defenders should therefore treat them as high risk even if public exploit details are sparse. (learn.microsoft.com)

---

Conclusion: immediate actions that matter​

CISA’s August 12, 2025 KEV update is a clear operational alarm: attackers continue to profit from both old and new vulnerabilities. The combination of CVE‑2007‑0671, CVE‑2013‑3893, and CVE‑2025‑8088 in a single KEV update underscores two immutable truths of cybersecurity — attackers will reuse reliable tools when they work, and defenders must prioritize practically exploitable flaws over theoretical severity scores.
The most effective immediate steps for Windows administrators and risk owners are straightforward: inventory affected components, deploy vendor patches (or implement isolation if patches aren’t possible), harden file‑handling and extraction workflows, and tune detection for the behaviors associated with these flaws. Organizations that move quickly and methodically will not only meet regulatory expectations where applicable, but will also blunt the operational impact of attackers who rely on predictable exploitation paths. (cisa.gov, welivesecurity.com)

---

---

Source: CISA CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA