CISA's Updated KEV Catalog Highlights Critical Vulnerabilities in Routers, Browsers, and Enterprise Platforms

The relentless surge of cyberattacks targeting well-known software and hardware continues to expose cracks in the digital armor of even the most sophisticated organizations. In a recent move underscoring the urgency of this threat, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with three new high-priority entries, after confirming active exploitation by threat actors. These inclusions—CVE-2024-12987 in DrayTek Vigor routers, CVE-2025-4664 in Google Chromium, and CVE-2025-42999 in SAP NetWeaver—highlight a cross-section of vulnerabilities threatening edge devices, ubiquitous browsers, and critical enterprise platforms. For IT professionals, Windows administrators, and cybersecurity specialists, these KEVs not only serve as warning beacons but trigger urgent mitigation actions to defend the ever-expanding digital frontier.

The Growing Weight of the KEV Catalog​

CISA’s KEV Catalog is much more than a routine list of security concerns. Designed as a “living” compendium, it continuously tracks CVEs for which there is verifiable evidence of exploitation “in the wild.” The KEV Catalog is a direct product of Binding Operational Directive (BOD) 22-01—an order enforceable across U.S. Federal Civilian Executive Branch (FCEB) agencies but strongly recommended for adoption by the broader public and private sectors. This directive’s central tenet is simple but critical: the greatest risks stem not from theoretical flaws, but from those actively being weaponized by cyber adversaries.
This practical, evidence-led focus has made the KEV Catalog a frequently consulted resource in both the public and private sector. Security teams—especially those managing Windows-based infrastructures or hybrid cloud deployments—rely on it to prioritize patching and remediation, thereby moving away from the “boil the ocean” approach of trying to fix every published CVE, and toward a laser focus on what attackers are actually exploiting.

The Three New Entries: Technical Breakdown & Risks​

Let’s dissect the technical nature, real-world risk, and mitigation implications of the three vulnerabilities recently added by CISA, each representing a distinct threat domain.

1. CVE-2024-12987: DrayTek Vigor Routers – OS Command Injection​

Summary: DrayTek Vigor is a line of network routers widely used by small offices and home offices (SOHO), as well as some enterprise edge applications. CVE-2024-12987 represents an OS command injection vulnerability within the router’s web management interface. By exploiting this flaw, a remote, unauthenticated attacker can send specially crafted requests that result in arbitrary command execution with system privileges.
Underlying Mechanics:
Per the CVE database and recent technical analyses, this vulnerability stems from unchecked user input fields that are passed directly to OS-level commands. These flaws typically arise in firmware or embedded web interfaces where input validation is insufficient.
Attack Scenarios:

• Remote attackers gain a foothold in an organization by pivoting through an exposed router.
• Full device compromise, leading to eavesdropping, traffic manipulation, or acting as a launchpad for deeper network attacks.
• Persistent presence: Compromised routers can silently forward malicious traffic for months if not properly patched.

Risk Assessment:
Given the common deployment of DrayTek routers on the network edge and their mix of consumer and enterprise usage, exploitation could allow persistent, hard-to-detect access for advanced threat groups. Reports indicate active scanning and exploitation of such devices in the wild.
Mitigation:
Users should immediately upgrade to the latest firmware version as issued by DrayTek. Where possible, disable remote management, enforce strong administrator credentials, and monitor for unusual outbound or inbound traffic spikes as an indication of compromise.

2. CVE-2025-4664: Google Chromium Loader – Insufficient Policy Enforcement​

Summary: Chromium forms the core codebase behind not just Google Chrome, but also Microsoft Edge (on Windows), Opera, Brave, and several other browsers. CVE-2025-4664 is a vulnerability categorized as “Insufficient Policy Enforcement” within the Loader component—responsible for fetching, verifying, and initiating new content, including web pages and resources.
Technical Detail:
Public CVE disclosures and security advisories detail that the Loader failed to fully enforce permission or security policies in some code paths, potentially allowing a malicious page or extension to bypass sandbox restrictions. While specifics are typically redacted until broad patching, this class of issue can escalate into remote code execution or sandbox escape in worst-case scenarios.
Potential Impacts:

• Phishing or watering-hole attacks that leverage JavaScript or crafted payloads to execute code outside browser-approved sandboxes.
• Drive-by downloads infecting Windows endpoints simply by visiting a malicious site.
• Side-channel attacks that harvest credentials or session keys via cross-origin privilege escalation.

Broader Ecosystem Relevance:
Because Chromium powers multiple mainstream browsers, the vulnerability’s blast radius expands to millions of Windows, macOS, and Linux systems worldwide. This makes timely patching critical—especially within enterprises with bring-your-own-device (BYOD) or remote work policies.
Mitigation:

• Immediate browser update: Users should ensure their browsers are running the latest, patched release (for Chrome, Edge, etc.).
• Enterprise administrators can leverage browser management policies (via Active Directory Group Policy Objects or Mobile Device Management solutions) to enforce updates across fleets of endpoints.
• Disable or audit suspicious browser extensions which may attempt to exploit this or related vulnerabilities.

3. CVE-2025-42999: SAP NetWeaver – Deserialization Vulnerability​

Overview:
SAP NetWeaver underpins a vast array of mission-critical systems, from enterprise resource planning (ERP) to supply chain and financial accounting in some of the world’s largest organizations. CVE-2025-42999 targets the processing of serialized objects—where untrusted or manipulated inputs can trigger remote code execution due to unsafe deserialization.
Technical Assessment:
The vulnerability is rooted in how NetWeaver’s application server core processes serialized Java or ABAP objects. Without stringent checks, maliciously forged serialized data can instruct the system to spawn unauthorized processes, inject commands, or alter sensitive workflows.
Risk Profile:

• Attackers achieving full control of backend SAP systems, opening the door to data theft, business process manipulation, and even sabotage.
• SAP environments are typically high-value targets for nation-state actors due to the critical business processes and data involved（confirmed by multiple independent security advisories).
• Exploitation is usually remote, via exposed interfaces, APIs, or integration points, potentially amplifying risk from trusted internal threats or partners.

Mitigation:

• Install SAP-provided security updates or security notes addressing CVE-2025-42999 as soon as they’re available.
• Harden external access by restricting interfaces and applying network segmentation around SAP infrastructure.
• Enhance monitoring and use anomaly detection to flag suspicious object deserialization attempts.

Binding Operational Directive 22-01: What It Means, and Why It Matters Everywhere​

While BOD 22-01 is a mandate for the federal government, its framework and urgency have become a de facto standard for the broader IT and cybersecurity sector. The directive compels FCEB agencies not only to track and acknowledge KEV-listed vulnerabilities, but to remediate them on a strict deadline, shrinking the window of exposure to days instead of months or years—a philosophy echoed by state governments and increasingly, the private sector.
Key highlights of BOD 22-01 for all defenders:

• Evidence, Not Hype: The KEV Catalog is built solely around vulnerabilities ACTUALLY being used in attacks—not theoretical risks.
• Mandatory Deadlines: All listed CVEs receive a remediation due date, publicized within the KEV Catalog. FCEBs must validate completion by deadline.
• Transparency & Accountability: The list serves as a public-facing “to-do list” for the national cyber defense posture.
• Recommended Best Practice: Private organizations are strongly urged by CISA to “prioritize timely remediation” of KEVs, despite not being legally bound.

For organizations outside the U.S. federal space—including enterprise Windows shops and SMBs—aligning with BOD 22-01’s guidance makes practical sense. Cyber adversaries do not differentiate targets based on FCEB agency lines: once a KEV is added for active exploit, it’s a warning bell for everyone.

The Real-World Stakes: Lessons from Recent KEVs​

The addition of these latest three vulnerabilities is only the latest chapter in an ongoing saga. Patterns in recent KEV catalog updates highlight several key insights:

• Edge Devices Are a Prime Entry Point: Routers and IoT devices (like the DrayTek Vigor) remain low-hanging fruit, often running unpatched firmware exposed to the open internet.
• Software Supply Chain: Vulnerabilities in widely-used underlying platforms (Chromium for browsers; SAP NetWeaver in enterprise IT) mean that a single bug can ripple across millions of devices or business-critical processes.
• Exploit Velocity is Rising: The time between vulnerability disclosure and mass exploitation is shrinking. Attackers routinely automate scanning for newly disclosed flaws.
• Attacker Intent: Criminal and nation-state groups focus resources on these very KEVs, because public patches often lag, and even sophisticated targets fail to act in time.

Public breaches traced to known, patchable flaws—including those previously cataloged in KEV, such as VPN appliances, Exchange servers, or web management interfaces—underscore a painful truth: lack of timely patching, not zero-day attacks, remains the most common precursor to compromise.

Critical Analysis: Catalog-Driven Remediation—Boons and Challenges​

Strengths​

• Evidence-Informed Prioritization: Security teams no longer waste cycles patching every CVE, but can focus on proven, exploited flaws—a reprieve for resource-strapped IT staff.
• Transparency & Collective Defense: By publicizing exploited CVEs, CISA aids not only government agencies but corporations and individuals in collectively improving cyber hygiene.
• Enables Vendor Accountability: Highlighting exploited CVEs compels vendors to issue fixes quickly, and sometimes to provide updates for end-of-life (EOL) products that are still widely deployed.

Challenges and Risks​

• Coverage Gaps: Not all exploited vulnerabilities are detected or reported—particularly zero-days exploited in targeted attacks. The KEV catalog, while invaluable, is not exhaustive.
• Lag Between Exploitation and Cataloging: Digitally savvy attackers often weaponize flaws before detection or addition to KEV; defenders may remain at risk even if “fully patched.”
• Organizational Inertia: Even with prioritization, organizations often struggle to patch critical systems—especially if they underpin legacy business operations or risk downtime.
• Vendor Dependency: Remediation depends on vendors releasing timely, functional patches; delays or poorly-tested fixes can leave users exposed for longer.

Potential for Gaming the System​

A nuanced concern is whether overreliance on the KEV catalog could encourage a false sense of security—“if it’s not on KEV, it’s not urgent.” But attackers routinely harvest low-hanging fruit not yet tracked, or exploit multi-stage campaigns chaining newly disclosed issues to previously known ones.

Best Practices for Organizations: Leveraging the KEV Catalog Smartly​

Given these caveats, Windows administrators and IT leaders should use the KEV Catalog as a central element—but not the entirety—of their vulnerability management strategy:

• Incorporate KEV Into Existing Patch Management: Ensure scheduled patch windows prioritize KEV-listed vulnerabilities above other outstanding updates.
• Automate Asset Discovery and Vulnerability Scanning: Routinely scan for impacted systems, especially internet-facing routers, browsers, and enterprise software platforms like SAP.
• Layered Defense: Combine patching with strong access controls, network segmentation, and continuous monitoring for signs of compromise.
• Vendor Communication: Press vendors for security updates for products that remain in use, even if officially EOL.
• Incident Response Preparedness: Assume persistent attacker presence for any critical system that was vulnerable, and proactively hunt for signs of compromise even after patching.

SEO-Focused Guidance: The Path Forward for Vulnerability Management​

As search trends and threat intelligence reports confirm, queries related to terms such as “known exploited vulnerabilities 2025”, “CISA KEV catalog”, “critical Windows patch management”, “Chromium security update”, and “SAP NetWeaver exploit” continue to spike following notable CISA advisories. Organizations seeking robust vulnerability management strategies must remain vigilant in keeping current with KEV updates, while interpreting them within the broader context of layered cyber risk management.
Timely patching alone is not enough—rapid identification, cross-referencing authoritative vulnerability disclosures, and closing exposure gaps between patch release and deployment are paramount. Security teams must pair CISA’s real-time intelligence with customized defense-in-depth strategies, tailored to their unique infrastructure and threat model.

Conclusion​

The latest additions to CISA’s Known Exploited Vulnerabilities Catalog serve as a potent reminder that even familiar technologies—office routers, mainstream browsers, and legacy enterprise solutions—are not immune to ongoing exploitation. Praising the catalog’s evidence-based approach, experts consistently underscore its value in prioritizing what truly matters amidst a deluge of new CVEs each week. However, defenders must remain circumspect: no one list, however diligently maintained, can supplant vigilant, holistic security practices.
The reality is clear—cyber threat actors are adapting faster than ever, exploiting known flaws at machine speed. As the stakes climb, the onus is on every IT stakeholder—whether in a federal agency, corporate data center, or home office—to heed the warnings, patch swiftly, and never let up. In today’s threat landscape, timely action isn’t just best practice: it’s the last line of defense.

---

Source: CISA CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA