CISA KEV Update: Five New Exploited CVEs Across IoT, ICS, and Apple

CISA’s decision to add five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog is a timely reminder that attackers continue to leverage both legacy and modern flaws across widely deployed platforms, and that the federal and private sectors must treat remediation as an operational imperative rather than a checkbox exercise.

Background​

The Known Exploited Vulnerabilities (KEV) Catalog is a living list maintained under Binding Operational Directive BOD 22-01 to track CVEs for which there is evidence of active exploitation. The catalog exists to accelerate remediation across the Federal Civilian Executive Branch (FCEB) and to encourage organizations everywhere to prioritize fixes that adversaries are already weaponizing. In this latest update, CISA added five entries spanning legacy surveillance devices, industrial control systems, and multiple Apple platforms — a cross-section that illustrates how attackers target both long-lived embedded devices and consumer mobile ecosystems.
BOD 22-01 requires FCEB agencies to remediate KEV-listed vulnerabilities according to defined timelines. While the directive is formally limited to federal civilian agencies, the catalog’s practical value is universal: vulnerabilities added to KEV are high-probability, high-consequence targets for exploit campaigns, and ignoring them materially increases exposure.

---

What CISA added — a concise summary​

CISA’s newest KEV additions include the following vulnerabilities:

• CVE-2017-7921 — Hikvision multiple products: an improper authentication vulnerability affecting a range of Hikvision IP cameras and DVRs.
• CVE-2021-22681 — Rockwell multiple products: an issue categorized as insufficiently protected credentials / authentication bypass affecting Logix controllers and related Rockwell Automation products.
• CVE-2021-30952 — Apple multiple products: an integer overflow or wraparound issue addressed by Apple in prior updates.
• CVE-2023-41974 — Apple iOS and iPadOS: a use-after-free vulnerability that can enable code execution or privilege escalation in mobile devices.
• CVE-2023-43000 — Apple multiple products: a use-after-free flaw affecting Web content processing / Safari/WebKit components across Apple platforms.

Taken together, these entries reinforce two important trends: (1) legacy IoT and embedded devices remain attractive, low-effort targets for opportunistic actors, and (2) sophisticated exploitation of browser engines and mobile OS components continues to be a highly effective vector for remote compromise.

---

Why these additions matter​

The attacker’s calculus​

Attackers choose their targets by balancing ease and impact. A vulnerable IP camera or DVR with exposed management interfaces offers low-hanging fruit: scans are easy to automate and successful access often yields persistent footholds inside networks. Conversely, WebKit and mobile kernel flaws enable high-impact, silent compromises that can bypass MFA and evade detection — attractive to more capable adversaries seeking access to high-value individuals or corporate secrets.

Cross-domain reach​

The five CVEs highlight cross-domain exposure:

• Operational Technology (OT) / physical security — Hikvision cameras are often part of physical security, building management, and supply-chain installations. Compromise can yield surveillance, lateral access, or sabotage vectors.
• Industrial Control Systems (ICS) — Rockwell Automation’s Logix controllers underpin manufacturing and critical infrastructure; authentication bypasses on controllers are a direct risk to reliability and safety.
• Consumer and enterprise endpoints — Apple platform flaws affect billions of devices and are frequently used in targeted and commodity campaigns alike.

This mixture raises the stakes: an attacker combining footholds from an exposed camera or PLC with mobile-targeted exploits can mix tactics to escalate from initial access to broad lateral movement and data exfiltration.

---

Deep dive: the five vulnerabilities and practical implications​

CVE-2017-7921 — Hikvision improper authentication​

• What it is: An improper authentication or authentication bypass that allows unauthenticated attackers to access functionality intended only for authenticated users.
• Where it lives: Many Hikvision NVRs, DVRs, and IP camera firmware families; often present in devices still running long-lived firmware branches.
• Why it’s still relevant: Even though the CVE is several years old, many devices in the field remain unpatched or are running manufacturer-unsupported firmware. Public exploit patterns for this class of flaw often include simple HTTP-based bypasses or predictable credential workarounds, enabling mass compromise.
• Practical impact: Unauthorized access to camera feeds, firmware manipulation, command injection, lateral network reconnaissance, and persistent backdoors.
• Operational notes: Physical or network segmentation is commonly weak for surveillance infrastructure. Many organizations expose camera management interfaces to remote networks for convenience, dramatically increasing the risk.

CVE-2021-22681 — Rockwell insufficient protected credentials / auth bypass​

• What it is: An authentication or credential protection failure in Rockwell Automation Logix controller family and related products.
• Where it lives: Programmable logic controllers and other ICS components used in manufacturing, utilities, and process industries.
• Why it’s critical: ICS devices are high-value targets — successful exploitation can affect process stability, safety interlocks, and plant availability. The bar for impact is lower in OT environments because of the real-world consequences of downtime or manipulation.
• Practical impact: Unauthorized code upload to controllers, loss of process integrity, safety hazards, and long recovery windows.
• Operational notes: OT environments are frequently maintained by different teams with different patch cadences. Controller firmware updates are tested slowly, and many sites operate on the network perimeter in ways that inadvertently expose devices.

CVE-2021-30952 — Apple integer overflow / wraparound​

• What it is: An integer overflow or wraparound leading to memory corruption if untrusted input is not properly validated.
• Where it lives: Multiple Apple products and frameworks; often tied to image or document parsing libraries.
• Why it’s dangerous: Integer overflows can be abused to trigger out-of-bounds reads/writes and lead to remote code execution. They are frequently exploited via crafted web content, email attachments, or malicious media.
• Practical impact: Remote code execution, privilege escalation on macOS/iOS, browser or app sandbox escapes.
• Operational notes: Apple regularly ships security updates for such flaws; timely OS and browser updates dramatically reduce exposure.

CVE-2023-41974 and CVE-2023-43000 — Apple use-after-free vulnerabilities​

• What they are: Use-after-free memory errors where code attempts to use memory after it has been deallocated; both are associated with Web content processing or components used by browsers and system frameworks.
• Why they’re critical: Use-after-free issues in WebKit or system libraries often permit remote code execution purely via crafted web content or messages, making them high-value for targeted attackers and mass exploitation campaigns.
• Practical impact: Silent device compromise, persistent implants, bypass of isolation controls in browsers and apps, and exfiltration from mobile devices.
• Operational notes: Apple has addressed these via security updates; however, exploitation in the wild has been reported for similar classes of bugs, so organizations should treat these as high-priority remediation items.

---

BOD 22-01 — practical implications for agencies and organizations​

BOD 22-01 formalizes remediation priorities for the FCEB: when a CVE is added to the KEV Catalog, federal civilian agencies must remediate according to defined timelines. Practically, that means triage teams must rapidly translate a KEV entry into an actionable plan: identify affected assets, apply vendor patches or mitigations, verify remediation, and report compliance.
For non-federal organizations, BOD 22-01 has become a de facto playbook because:

• KEV entries represent actively exploited vectors; delaying remediation increases risk.
• Supplier and insurer risk models increasingly consider KEV remediation status when assessing cyber posture.
• Attackers do not respect jurisdictional boundaries — successful exploit campaigns targeting federal agencies are often adapted by financially motivated groups to attack private entities.

---

Assessing exploitability and operational risk​

When a vulnerability is added to KEV, CISA has determined there is evidence of exploitation. However, organizations must evaluate exploitability in their own environments by asking:

• Do we have exposed instances of the affected product (public IPs, exposed management ports, or external services)?
• Are the specific versions in use vulnerable (firmware/software versions, patched or not)?
• Can the vulnerability be exploited remotely, or does exploitation require local access or user interaction?
• What compensating controls exist (network segmentation, EDR, strict access controls, allowlisting)?
• What is the blast radius — how many assets or systems would be affected if exploited?

Apply a simple risk score that weights exposure, detectability, and impact. Prioritize fixes where exposure is high, mitigation options are limited, and impact is severe.

---

Tactical remediation and containment: an action plan​

The following steps provide a practical remediation path tailored to KEV events:

• Inventory: Immediately identify assets running affected versions. Use network discovery, firmware inventories, MDM reports for mobile fleets, and asset management tools for OT.
• Prioritize: Rank assets by business criticality, connectivity to sensitive networks, and ability to be patched without operational disruption.
• Patch urgently: Where vendor patches are available, schedule accelerated deployments. For mobile OS/browser updates, push managed updates through MDM or require upgrades for corporate devices.
• Compensating controls: If patching is delayed or impossible, implement compensations:
• Network segmentation and access control lists to isolate vulnerable devices.
• Restrict management interfaces to trusted networks or jump boxes.
• Block or monitor known exploit patterns at perimeter devices and proxies.
• Detection and hunting: Use telemetry to search for indicators of exploitation:
• Unusual outbound connections from cameras, controllers, or endpoints.
• New or unexpected firmware changes on IoT devices.
• Suspicious WebKit or kernel crashes on Apple devices, followed by abnormal behavior.
• Logging and monitoring: Ensure device logs are centralized and retained for incident response; for OT, capture engineering protocol telemetry where possible.
• Incident response readiness: Pre-stage playbooks that include steps for isolating affected assets, forensics, and communication procedures (internal and regulatory).
• Vendor engagement: Ask suppliers for firmware images, mitigation guidance, and long-term remediation roadmaps. For devices nearing end-of-life, plan for replacement.

---

Detection guidance — what to look for​

• For Hikvision and similar IP camera exploits:
• Unexpected configuration changes or new admin users.
• Authentication bypass attempts: repeated unusual parameters in HTTP headers or base64-encoded authentication tokens.
• Outbound connections to suspicious domains originating from camera subnets.
• For Rockwell/ICS exploits:
• Unexpected ladder-logic uploads or firmware pushes to controllers.
• Abnormal command sequences or control setpoint changes.
• Increased engineering station authentication attempts or anomalous traffic on industrial protocols.
• For Apple WebKit/iOS exploits:
• Increased crashes related to WebKit or kernel memory management.
• Exploit chains often start with a benign-looking web page or crafted media file; unusual web hits or attachments preceding device compromise are red flags.
• Post-exploit behavior: unrecognized processes, steep battery drain, or new network exfiltration patterns.

Note: Detection for zero-day and public exploits can be difficult; robust EDR, centralized logging, and behavioral baselines make detection far more likely.

---

The challenge of legacy and unmanaged devices​

Legacy devices — particularly surveillance cameras and field controllers — are commonly overlooked in vulnerability management. They are often:

• Embedded with vendor-frozen firmware versions that receive little or no ongoing security support.
• Managed outside central IT visibility, by facilities teams or third-party integrators.
• Deployed in topologies that make patching risky or disruptive to operations.

To reduce exposure, organizations should:

• Move these devices into segmented VLANs with strict egress/ingress rules.
• Implement device inventory and lifecycle policies that limit procurement of unsupported devices.
• Treat physical security devices as first-class assets in cybersecurity programs.

---

Practical constraints and remediation friction​

Several real-world constraints complicate rapid remediation:

• Patch validation and downtime: In OT/ICS, firmware updates may require extended maintenance windows and extensive validation to avoid process disruption.
• Device replacement costs: Replacing entire fleets of cameras or controllers is expensive and slow.
• Supply chain opacity: For third-party-managed devices or integrator-installed systems, the organization may not directly control patching timelines.
• User behavior: For consumer-managed Apple devices, obtaining timely updates from end users (BYOD) remains a chronic challenge.

Address these constraints with cross-functional planning: bring facilities, OT engineers, procurement, and security teams together before crises force ad hoc decisions.

---

Prioritization framework for security leaders​

When KEV entries are published, security leaders should use a concise prioritization framework:

• Exposure + Exploitability: Are vulnerable assets reachable by the Internet or by common user behavior?
• Impact: Could exploitation cause operational, safety, reputational, or regulatory harm?
• Replaceability: Can the asset be patched or must it be replaced?
• Detection likelihood: How readily can exploitation be detected with current tooling?
• Cost of remediation vs. cost of compromise: Consider likely recovery costs, potential regulatory penalties, and operational disruption.

This framework enables rational trade-offs during resource-constrained remediation campaigns and helps justify emergency patch windows to business owners.

---

Vendor disclosure, transparency, and the role of public advisories​

CISA’s KEV updates rely on public advisories, vendor reports, and private threat intelligence to determine exploitation status. This process works best when vendors are transparent about which product versions are affected and when mitigation guidance is clear.
However, challenges persist:

• Vendors may underreport the breadth of affected versions.
• OEMs for embedded devices often do not maintain long-term advisories for older firmware.
• Some exploit evidence is sensitive or classified, preventing full public disclosure of exploit details.

Security teams should press vendors for clear, actionable guidance and maintain copies of vendor advisories and firmware images for auditing and forensics.

---

Insurance, compliance, and regulatory downstream effects​

Many cyber insurance policies now ask whether organizations track and remediate KEV-listed vulnerabilities. Failure to remediate known exploited CVEs — especially after a KEV listing — can affect coverage decisions, claims, and post-incident liability.
Similarly, regulators and auditors are increasingly viewing KEV adherence as part of due diligence. Documented remediation plans, proof of patch deployment, and compensating controls are essential artifacts during post-incident reviews or compliance assessments.

---

What organizations should do next — a checklist​

• Immediately confirm whether any of the five CVEs affect your environment by querying inventories and MDM/asset databases.
• For affected Apple fleets: ensure MDM policies force OS and Safari/WebKit updates and block devices that cannot be upgraded.
• For Hikvision and other IoT: isolate camera management interfaces, close unnecessary ports, and block outbound traffic from device subnets unless explicitly required.
• For Rockwell and ICS: coordinate with engineering to apply vendor-recommended fixes; if not possible, isolate controllers and monitor for anomalous control activity.
• Update incident response playbooks to reflect exploitation scenarios associated with these CVEs.
• Document remediation evidence (scans, patch deployment logs, configuration changes) to support audit and insurance claims.

---

Strengths and limitations of CISA’s KEV approach — critical analysis​

CISA’s KEV Catalog provides an indispensable prioritization signal that is broadly useful across government and private sectors. Its strengths include:

• Focus on active exploitation, which helps cut through noise of theoretical risk models.
• Clear operational signal for asset owners and security operations teams to accelerate remediation.
• Support for cross-sector awareness of emergent campaigns.

But KEV is not a panacea. Limitations include:

• KEV listings typically do not include granular exploit indicators or full technical details (often for operational security reasons), which means defenders must complement the listing with vendor advisories and threat intelligence to craft response plans.
• The catalog can grow rapidly, creating triage fatigue when dozens or hundreds of vulnerabilities are added in short windows; organizations still need ways to prioritize within the KEV set.
• Timelines in BOD 22-01 can be difficult to meet for OT environments and legacy devices, highlighting a gap between policy and operational realities.

Security programs must therefore treat KEV as a high-fidelity input into a broader vulnerability management pipeline, not as the sole arbiter of priority.

---

Final assessment and recommendations​

CISA’s addition of these five vulnerabilities to the KEV Catalog underscores the continuing diversity of attacker targets: from networked cameras and industrial controllers to the mobile devices we carry every day. Security teams should adopt a posture of urgency without panic:

• Act quickly to inventory and patch, but maintain operational control and clear test/rollback plans for fragile systems.
• Use segmentation and compensating controls aggressively where patching is infeasible.
• Strengthen device lifecycle and procurement policies to avoid long-term exposure from unsupported gear.
• Coordinate with vendors, integrators, and service providers to gain visibility into managed devices and to secure firmware pipelines.
• Incorporate KEV monitoring into routine security governance so that high-risk, actively exploited CVEs drive resource allocation and executive reporting.

Treat KEV entries as high-probability threats: the cost of ignoring them can be measured in operational downtime, regulatory scrutiny, or breached data. By blending rapid tactical response with medium-term infrastructure modernization and vendor accountability, organizations can reduce their attack surface and better defend against the opportunistic and highly targeted campaigns that KEV seeks to track.
In short: this KEV update should catalyze immediate action — not merely add another item to a long to-do list.

---

Source: CISA CISA Adds Five Known Exploited Vulnerabilities to Catalog | CISA