CISA KEV Catalog 2025: Critical Vulnerabilities & Urgent Cybersecurity Actions

In a rapidly evolving threat landscape, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) continues its vigilant effort to safeguard the federal enterprise and private-sector organizations by maintaining a dynamic repository known as the Known Exploited Vulnerabilities (KEV) Catalog. This catalog acts as a critical reference point for IT administrators, security professionals, and executives—flagging vulnerabilities actively leveraged by threat actors and urging immediate defensive action. On its most recent update, CISA added six newly identified, actively exploited vulnerabilities to the catalog, marking another urgent call to shore up digital defenses across both public and private sectors.

Understanding the CISA KEV Catalog and Its Mandate​

The CISA Known Exploited Vulnerabilities Catalog is not merely a static list but a living document, shaped by continuous intelligence gathering and incident analysis. Established as part of Binding Operational Directive (BOD) 22-01, the catalog embodies the federal government’s commitment to addressing vulnerabilities that present a significant risk to federal systems. Under this directive, Federal Civilian Executive Branch (FCEB) agencies are required to promptly remediate cataloged vulnerabilities within specified timeframes. While BOD 22-01’s legal mandate applies only to FCEB agencies, CISA strongly encourages all organizations to adopt the same urgency in mitigation, as the same attack vectors are frequently repurposed against private businesses, educational institutions, and state and local governments.
The catalog and its associated BOD serve several key purposes:

• Standardization and Prioritization: By highlighting vulnerabilities already weaponized in the wild, CISA helps organizations prioritize patching efforts, focusing on what’s most urgent.
• Intelligence Sharing: The catalog expeditiously disseminates actionable threat intelligence, ensuring defenders are forewarned about risks previously observed in real-world attacks.
• Compliance: For federal agencies, adherence is a matter of law—non-compliance is not an option—but for others, it’s a best practice that can dramatically reduce organizational risk.

Spotlight on the Latest Additions: May 2025​

CISA's latest update—published on May 19—added six new vulnerabilities, each supported by public or private evidence of active exploitation. These flaws span a spectrum of technologies, from enterprise mobile management tools to email servers, collaboration platforms, and biometric time-keeping systems. Each presents unique exploitation vectors that cybercriminals currently exploit to facilitate unauthorized access, data exfiltration, and further lateral movement within victim networks.
The newly cataloged vulnerabilities are:

• CVE-2025-4427: Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
• CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
• CVE-2024-11182: MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
• CVE-2025-27920: Srimax Output Messenger Directory Traversal Vulnerability
• CVE-2024-27443: Synacor Zimbra Collaboration Suite (ZCS) XSS Vulnerability
• CVE-2023-38950: ZKTeco BioTime Path Traversal Vulnerability

Diving Deeper: Technical Dissection of New KEVs​

Ivanti Endpoint Manager Mobile (EPMM): CVE-2025-4427 and CVE-2025-4428​

Ivanti EPMM is widely deployed for mobile device management (MDM) in large enterprises and government agencies. Given its privileged role and access to sensitive enterprise infrastructure, EPMM vulnerabilities are particularly valuable to attackers.

• CVE-2025-4427 (Authentication Bypass): This flaw enables attackers to circumvent authentication checks, potentially allowing unauthorized access to underlying EPMM administrative functions. Exploitation might grant attackers the ability to alter configurations, enroll rogue devices, or exfiltrate sensitive administrative data.
• CVE-2025-4428 (Code Injection): Through improper input validation, attackers can inject and execute arbitrary code within the EPMM context. Such capability could enable full system compromise, persisting beyond simple account takeover and potentially allowing attackers to pivot deeper into organizational infrastructure.

Both vulnerabilities have been corroborated by multiple cybersecurity advisories, including Ivanti’s own security communications, and are under active investigation by security researchers, with proof-of-concept (PoC) exploit code reportedly circulating within underground forums and private channels.

MDaemon Email Server: CVE-2024-11182​

MDaemon is a well-regarded mail transfer agent, especially popular with small and medium-sized organizations due to its ease of use and versatility. CVE-2024-11182 is a cross-site scripting (XSS) bug that could allow attackers to inject malicious scripts into the server’s web management interface. This vector is commonly exploited for session hijacking, credential theft, or spreading malware within an internal network. XSS vulnerabilities are known to act as gateways for more sophisticated attacks, particularly when chained with other flaws.
Recent reports from security researchers highlight that this bug is likely to be targeted in phishing campaigns and internal attacks. Verified exploit attempts have been tracked in the wild, with attackers leveraging the bug to steal administrator cookies and escalate their access.

Srimax Output Messenger: CVE-2025-27920​

Srimax Output Messenger is a collaborative messaging tool used by businesses needing secure, real-time internal communication. CVE-2025-27920 is a directory traversal vulnerability—attackers can exploit this to read or potentially overwrite files outside the intended directory boundaries. In practical terms, this could expose sensitive configuration files, authentication tokens, or even permit the insertion of rogue scripts on servers if insufficiently contained.
Security bulletins and community advisories indicate that exploit code is straightforward, with threat actors actively seeking out exposed instances of Output Messenger for exploitation.

Synacor Zimbra Collaboration Suite (ZCS): CVE-2024-27443​

Zimbra is ubiquitous among organizations seeking integrated email and groupware. CVE-2024-27443 is an XSS bug in the ZCS interface. This vulnerability, similar to the one affecting MDaemon, permits script injection by malicious users, potentially compromising email accounts and personal data if exploited. Notably, Zimbra has been a frequent target of both financially motivated attackers and nation-state threat actors, elevating the urgency for remediation.
Recent industry advisories and incident reports confirm that several Zimbra bugs have been favored in large-scale exploitation campaigns, making this entry especially significant.

ZKTeco BioTime: CVE-2023-38950​

ZKTeco BioTime is a biometric time and attendance tracking system, deployed in countless organizations for workforce management. CVE-2023-38950 is a path traversal vulnerability. Exploiting this, adversaries could access files outside intended directories, including configuration or credentials not meant for public viewing. This can result in unauthorized access to personal identifying information (PII) and, in some cases, the manipulation of attendance records or system variables.
Multiple independent cybersecurity labs report demonstration exploits and confirm real-world attacks leveraging this flaw，heightening the call for urgent patching.

Assessing the Risks: Why These Vulnerabilities Matter​

Threat Actor Motivations and Techniques​

The cataloged vulnerabilities represent more than theoretical risks—they reflect attack techniques already in play across the digital landscape. Each KEV entry signals that at least one threat actor has successfully weaponized the flaw to circumvent network defenses. The motivations behind these attacks are diverse:

• Initial Access: Many of these bugs provide attackers with access points into sensitive enterprise systems.
• Privilege Escalation: Exploiting authentication bypass or code injection flaws often allows attackers to extend control beyond their initial foothold.
• Data Exfiltration/Manipulation: Mail server and messaging platform vulnerabilities can facilitate theft or alteration of vital business data.
• Lateral Movement: Attackers use compromised components to move laterally, seeking even higher-value targets within the same network.

These motivations are evidenced by open-source threat intelligence and verified incident analyses published after each vulnerability disclosure.

Systemic Weakness & Supply Chain Exposure​

Many of the affected products are foundational elements of business infrastructure. Identity management, messaging, email, and biometric attendance systems are critical for daily operations. A compromise here can cripple organizations by undermining trust and data integrity at their core.
For example, supply chain attacks leveraging MDM solutions such as Ivanti EPMM are of particular concern: successful compromise can allow attackers to inject malicious payloads into managed endpoints, circumvent controls, and persist undetected. Similar concerns over messaging and collaboration solutions point to the ongoing risk presented by centralized communications hubs.

The Problem with Unpatched Software​

Despite the publication of timely vendor patches and advisories, patch adoption often lags, leaving windows of opportunity for attackers. In some high-profile incidents, attackers have exploited vulnerabilities mere days after public disclosure—before many organizations had the chance to patch, reinforcing the importance of rapid and prioritized remediation.

CISA's Remediation Deadlines: Urgency and Compliance​

Federal agencies are bound by CISA's deadlines, often measured in weeks or even days from catalog publication. Non-compliance can result in official reprimands or even funding restrictions. For private sector organizations, these deadlines serve as strong guidance for risk-based prioritization, especially as attackers frequently seek out vulnerable, unpatched systems regardless of sector.
CISA’s workflow for adding vulnerabilities is vigorous: each entry reflects observed exploitation, technical confirmation, and often coordination with vendors. This ensures that organizations responding to catalog entries are drawn to genuine, not hypothetical, risk.
To remain compliant and secure, CISA recommends:

• Immediate Inventory Review: Organizations should maintain updated inventories of IT assets and map catalog bug exposure.
• Risk-Based Patch Prioritization: Focus first on vulnerabilities highlighted in CISA’s catalog and those for which active exploitation is confirmed.
• Automated Deployment: Where possible, use automated tools to push patches, reducing the time to remediation.
• Incident Response Planning: Prepare playbooks for responding to exploitation attempts, including isolating affected systems and collecting forensic evidence.

Strengths and Value of the KEV Catalog​

The Known Exploited Vulnerabilities Catalog is widely regarded as one of the most influential, actionable resources for modern cyber defense:

• Up-to-date, Actionable Threat Intelligence: By focusing on flaws with proven exploitation, the catalog avoids overwhelming organizations with a list of all known vulnerabilities and instead emphasizes what truly matters now.
• Government-Led Leadership: The catalog represents a model of timely, credible, and actionable government involvement in public/private cybersecurity.
• Enhanced Sector Coordination: Encourages information sharing and coordinated incident response, which is vital in countering contemporary large-scale attacks.

Leading cybersecurity voices—including independent researcher Alex Stamos and vendor advisories from Microsoft and Ivanti—have highlighted the KEV Catalog as a must-watch resource for active threat and vulnerability management.

Notable Limitations and Ongoing Challenges​

While effective, the KEV Catalog and CISA’s directive-based approach are not without limitations:

• Lag Between Exploit and Catalog Inclusion: There is an inherent delay between the first observed exploitation and catalog listing, a period during which many organizations remain exposed. Attackers often exploit this gap.
• Dependency on Vendor Disclosure: Timely addition to the catalog depends on vendors or researchers reporting bugs promptly and providing fixes, which can be delayed by complexity or business priorities.
• Patch Management Challenges: Especially for legacy systems or highly customized software, patching may be neither quick nor risk-free, creating operational friction and sometimes forcing organizations to choose between security and uptime.
• Evolving Attack Techniques: Attackers often pivot to exploiting “lesser-known” vulnerabilities or chain bugs together to bypass defenses, which means the catalog, while critical, must be paired with fundamental security hygiene and monitoring.
• Awareness and Adoption Gaps: Despite CISA’s exhortations, a substantial portion of private sector and smaller organizations remain unaware or insufficiently resourced to act quickly on these alerts.

Cybersecurity experts have repeatedly warned of these gaps, advocating for improved automation, better user education, and multi-factor mitigation approaches beyond patching alone.

Strengthening Your Organization’s Security Posture​

For Windows ecosystem professionals and IT teams, the appearance of widely used products in the KEV Catalog is a stark reminder: no software, no matter how central or scrupulously maintained, is immune from bugs and exploitation. The path forward involves a blend of foundational best practices and active threat intelligence consumption:

• Continuous Asset Management: Regularly audit systems and third-party components. Know exactly where vulnerable products are in your estate.
• Vulnerability Scanning & Automation: Leverage automated vulnerability assessments and patch management solutions that reference the KEV Catalog.
• Zero Trust Principles: Wherever feasible, implement least privilege, access segmentation, and continuous authentication to limit attack surface—and remain resilient even if individual systems are compromised.
• Incident Response Readiness: Test response playbooks with simulated attacks focused on cataloged bugs to ensure that teams can detect, respond, and recover with minimal impact.
• User Security Training: Many exploits capitalize on social engineering in conjunction with technical flaws—ensure users are prepared to identify and report suspicious activity.

Final Analysis: Clear Benefits, Ongoing Vigilance Needed​

The CISA Known Exploited Vulnerabilities Catalog—anchored in BOD 22-01—has quickly become an indispensable part of the U.S. cyber-defense infrastructure. Its latest additions remind all defenders that high-value adversaries remain relentlessly opportunistic, exploiting both newly discovered bugs and long-known but unpatched flaws. While the catalog presents an invaluable playbook for focused remediation, it cannot substitute for defense-in-depth and a proactive, holistic approach to risk management.
For organizations across every sector—federal, corporate, and beyond—the take-home message is clear: treat CISA’s KEV updates not as optional advisories but as urgent, actionable intelligence. Swiftly patch, continuously monitor, and foster a culture of cybersecurity mindfulness. The attackers are already moving—waiting isn’t an option.

---

Source: CISA CISA Adds Six Known Exploited Vulnerabilities to Catalog | CISA