CISA Updates KEV Catalog with Critical Exploited Vulnerabilities - What Organizations Must Know

Security professionals are once again on high alert as the Cybersecurity and Infrastructure Security Agency (CISA) updates its Known Exploited Vulnerabilities (KEV) Catalog with three newly observed threat vectors. This evolving catalog remains at the core of the federal government’s defense strategy, but its critical lessons echo far beyond just public institutions—private enterprises, managed service providers, and software developers all share a vested interest in understanding and responding to these rapidly surfacing risks.

The Anatomy of a Growing Threat List​

CISA’s KEV Catalog is by no means a passive repository. Born out of Binding Operational Directive (BOD) 22-01, the catalog functions as a living list of CVEs (Common Vulnerabilities and Exposures) that have been actively exploited in the wild. In line with CISA’s directive, all Federal Civilian Executive Branch (FCEB) agencies are required to remediate listed vulnerabilities according to a defined timeline. However, CISA strongly advises organizations across every sector to prioritize mitigation just as aggressively.
The July 28, 2025, update adds three acute threats:

• CVE-2025-20281: Cisco Identity Services Engine Injection Vulnerability
• CVE-2025-20337: Cisco Identity Services Engine Injection Vulnerability
• CVE-2023-2533: PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability

Each vulnerability, currently confirmed as actively exploited, represents a direct path for malicious actors to compromise systems, exfiltrate data, or gain control over critical assets.

Dissecting the Latest Additions​

Double Injection Danger: Cisco Identity Services Engine​

The Cisco Identity Services Engine (ISE) forms the authentication and policy backbone of thousands of enterprise networks, centralizing user access, device onboarding, and security compliance. The listing of two new injection-based vulnerabilities, CVE-2025-20281 and CVE-2025-20337, is especially alarming.

What Makes These Flaws Notable?​

• Injection vectors commonly allow attackers to manipulate underlying commands or queries—think SQL, LDAP, or command injection—potentially granting unauthorized access or privilege escalation.
• ISE’s critical role in enforcing network security means that a successful exploit goes far beyond data theft. Attackers could disable access policies, disrupt multi-factor authentication flows, or even pivot laterally across trusted environment segments.
• Both CVEs have been verified as actively exploited, not merely theoretical. This significantly raises their profile compared to vulnerabilities spotted through internal testing alone.

Technical Analysis and Response​

According to Cisco’s advisories and corroborated by CISA, these vulnerabilities stem from improper input handling in certain ISE web interfaces. Attackers able to send crafted requests may achieve remote code execution or inject malicious logic. Cisco has released advisories and patches addressing the specific input validation flaws. Administrators are strongly urged to audit which ISE management interfaces are exposed and apply the latest security updates without delay.

Potential Impact​

The potential blast radius is considerable:

• Compromised authentication policies and network segmentation
• Elevated persistence for threat actors
• Difficult detection and forensics due to ISE’s privileged roles

Unpatched ISE deployments could yield a catastrophic loss of organizational network control.

PaperCut’s Persistent Pains: CSRF in Print Management​

CVE-2023-2533 shines a spotlight on PaperCut NG/MF—one of the world’s most widely deployed print and copy management solutions. Used everywhere from schools to Fortune 500 companies, PaperCut’s operational centrality makes it irresistible to threat actors.

Breaking Down the CSRF Flaw​

A Cross-Site Request Forgery (CSRF) attack tricks authenticated users into submitting malicious requests, usually by clicking a seeded link or visiting a booby-trapped page. Here’s why this is problematic:

• Attackers can exploit legitimate administrative user sessions to change configurations, add or remove print rules, or even create new privileged accounts.
• With PaperCut commonly deployed alongside sensitive directories and authentication systems (including Windows Active Directory), a single exploited CSRF can lead to rapid compromise of broader IT environments.
• This specific CVE has been leveraged in the wild, with attacks traced back to campaigns targeting educational and government organizations as early as 2023.

PaperCut issued security updates and mitigation guidance promptly, but as with many enterprise applications, lagging patch management continues to plague some deployments.

Lessons from the KEV Catalog: Why Timely Response Is Non-Negotiable​

The BOD 22-01 Mandate​

Binding Operational Directive 22-01, established by CISA in 2021, formalizes a risk-driven approach to patch management for federal agencies but has strong implications for all entities managing valuable or sensitive networks. Its core message is unambiguous: “Remediate actively exploited vulnerabilities—fast.”
Key aspects include:

• Maintaining a rolling list of CVEs backed by verifiable exploitation evidence.
• Defining remediation deadlines per vulnerability severity.
• Prioritizing network-facing and critical asset vulnerabilities.
• Mandating internal tracking, reporting, and attestation of compliance.

Although currently applicable only to FCEB agencies, BOD 22-01’s framework is widely regarded as industry best practice—a sentiment echoed by CISA in its explicit recommendations to the private sector.

Cross-Industry Implications​

The frequency and diversity of vulnerabilities entering the KEV catalog illuminate a sobering reality:

• Patching alone is not enough. Many exploits target configuration weaknesses or interfaces left exposed by default deployments.
• Supply chain exposure is increasing. Third-party and off-the-shelf tools—like ISE and PaperCut—can propagate risk across otherwise well-defended organizations.
• Attackers don’t discriminate. Incidents show that education, critical infrastructure, finance, and healthcare face equal risk if they lag behind on remediation.

Organizations ignoring the KEV catalog or treating it as solely a “government thing” are, effectively, gambling with their network integrity.

Critical Analysis: Strengths, Weaknesses, and Unintended Consequences​

Strengths of the KEV Approach​

• Grounded in Evidence, Not Hype: By only cataloging vulnerabilities with active exploitation, KEV cuts through the noise and delivers actionable intelligence.
• Accountability and Transparency: Publishing explicit deadlines and tracking agency compliance encourages a culture of accountability inside and outside federal networks.
• Resource Prioritization: With the overwhelming volume of new CVEs each year (over 25,000 in 2023 alone), focusing on those known to be weaponized ensures defensive efforts go where they matter most.

Risks and Weaknesses​

• Remediation Lag: Even with explicit deadlines, patching large or complex environments (especially legacy systems or highly customized deployments) is rarely trivial.
• Vulnerability Disclosure Arms Race: Announcing active exploitation could embolden adversaries to accelerate copycat attacks before widespread patching occurs—a dynamic observed multiple times throughout the past decade.
• Scope Limitations: While U.S. federal directives are powerful, global supply chains and multinational organizations often face patch prioritization conflict (e.g., different regulations, vendor patch delays, or incompatible infrastructure).
• Exploitation Knowledge Gaps: The KEV catalog relies on public evidence. Zero-day threats or highly targeted campaigns may go unlisted for months, leaving dangerous windows of exposure.

Potential Collateral Effects​

• Operational Disruptions: Emergency patching can lead to downtime or breakage, particularly in organizations with heavy legacy workloads or poor change management processes.
• Patch Fatigue: Security teams must triage an endless stream of updates, increasing the risk that even critical KEV-mandated patches might be deprioritized amid organizational pressures.

Recommendations and Next Steps for Windows Administrators​

For organizations with substantial investments in Windows infrastructure, network middleware like Cisco ISE, or widely deployed utilities such as PaperCut, the following steps are prudent:

• Monitor the KEV Catalog Regularly
• Automate polling or subscribe to CISA’s KEV alerts.
• Cross-reference catalog entries with your asset inventory.
• Audit Exposure Points
• Identify systems running Cisco ISE or PaperCut NG/MF, especially instances with internet-facing or unsegmented management interfaces.
• Disable unnecessary web-based administration components where feasible.
• Patch and Verify
• Apply vendor-issued patches for all relevant CVEs immediately, prioritizing according to the potential blast radius in your environment.
• Post-patch, validate through penetration testing or red team exercises to ensure patches are effective and introduce no new risks.
• Implement Defense-in-Depth
• Don’t rely exclusively on patching. Use network segmentation, robust monitoring, and strong authentication layers to limit the impact of a successful exploit.
• Institute rigorous review of administrative logins and privilege escalation paths.
• Document and Report
• Maintain an audit trail of KEV-related actions for eventual attestation, either for internal or regulatory purposes.
• Engage with Vendors and Peers
• Stay active in vendor and IT security forums. Early intelligence sharing and community-driven research often lead to faster mitigation and detection strategies.

Looking Forward: Evolving with the Threat Landscape​

CISA’s continued stewardship of the KEV Catalog highlights a shift in cybersecurity philosophy: not all vulnerabilities are created equal, and attention must be ruthlessly focused on those already weaponized in the wild. Yet, as attackers innovate, so too must defenders.
Emerging models suggest the next phase in vulnerability management will combine KEV-style urgency with predictive analytics, behavioral analysis, and automated patch deployment. Investments in secure design, AI-enhanced threat hunting, and Zero Trust architectures will form the backbone of next-generation defenses.
Still, no amount of tooling can replace speed and discipline. Organizations that treat the KEV catalog as a board-level imperative—not just a technical detail—are the ones most likely to weather the next wave of high-impact exploits unscathed.
As the threat landscape matures, one constant remains: in cybersecurity, it’s not just about patching fast—it’s about patching smart, with clear-eyed awareness of which vulnerabilities truly matter. The KEV Catalog is likely to remain a central bellwether for this reality, guiding defenders through a world where every day brings new, professionally-backed campaigns and increasingly creative attack vectors.
Anyone operating within the Microsoft ecosystem, managing third-party integrations, or maintaining legacy infrastructure should heed CISA’s latest warning. The lesson is both clear and urgent: today’s exploited CVEs are tomorrow’s headline breaches if not addressed with the seriousness they demand.

---

Source: CISA CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA