A new alert from the Cybersecurity and Infrastructure Security Agency (CISA) has intensified the urgency around two critical vulnerabilities now known to be under active exploitation. These additions to the agency’s Known Exploited Vulnerabilities Catalog are more than simple database entries; they are flashing red warnings for both private sector and government IT professionals tasked with shielding their organizations from cyber threats. As attackers increasingly target high-impact vulnerabilities, CISA’s alerts provide both a tactical heads-up and a strategic reminder: timely vulnerability management is a cornerstone of cybersecurity defense.
CISA’s latest update highlights two distinct vulnerabilities, each affecting widely used digital infrastructure:
This living list is particularly significant for its scope and implications. It covers not only widely publicized CVEs but also those that may fly under the radar, lacking major headlines yet still representing clear and present dangers. The catalog is curated with the understanding that even vulnerabilities with moderate severity scores can be weaponized when overlooked.
But the implications go far beyond public sector organizations. Although BOD 22-01 is a binding directive only for federal agencies, CISA “strongly urges all organizations” to regularly consult the Known Exploited Vulnerabilities Catalog and prioritize remediation. The rationale is clear: cyber attackers don’t discriminate between public and private sector targets, and the speed with which new exploits are weaponized leaves little room for complacency.
By leveraging authentication bypass flaws, attackers often gain higher privileges than they would through phishing or brute-force attacks. Once inside, they can disable logs, move laterally, and establish long-term persistence—all without triggering usual alarms.
Inserting malicious code into CI/CD pipelines undermines trust not just in a single project, but in all the future deployments, updates, and downstream dependencies that might incorporate tainted code. This class of risk is particularly insidious: organizations may ship compromised applications for months—or years—before the breach is discovered.
CISA’s advisory notes that vulnerabilities like those added this week are “frequent attack vectors for malicious cyber actors and pose significant risks.” The true impact often depends on how quickly and thoroughly IT teams can identify systems at risk, apply remediations, and verify their effectiveness.
Moreover, there is a hidden risk in underestimating operational complexity. Even with patches available, production environments, regulatory constraints, or business-critical uptime requirements can delay remediation. Each day a known exploited vulnerability persists is an open invitation to attackers.
Supply chain vulnerabilities, in particular, have a tendency to cascade. A compromise in a workflow used by hundreds of projects multiplies the risk across countless downstream systems—a chilling prospect for organizations that depend heavily on open-source or third-party automation.
CISA’s collaboration with both domestic and international cybersecurity agencies ensures faster identification of threats and more consistent guidance. Its willingness to amplify timely intelligence, even about third-party and open-source risks, is vital in a world where software interdependencies cross every border.
The fact that patches or workarounds are often identified and prioritized in tandem with catalog additions maximizes the chances that organizations can act swiftly—sometimes even before widespread damage occurs.
Furthermore, while CISA can issue binding directives to FCEB agencies, it lacks enforcement power over other critical sectors including healthcare, energy, and finance. These industries must be proactive in voluntarily following best practices, raising the risk of inconsistent protections between organizations.
And while the catalog is continuously updated, the speed at which private vendors issue patches or make effective mitigations available can lag behind. This gap between threat identification and risk reduction highlights the importance of strong internal processes, asset management, and cyber resilience.
For years, IT professionals have juggled competing demands: patch rigorously, but don’t disrupt operations; automate, but monitor for novel attacks; rely on trusted vendors, but verify every update. As the modern attack surface expands, the frequency and sophistication of exploitation continues to grow.
Organizations would do well to anticipate that future catalog updates will continue to blend “traditional” device vulnerabilities with new-wave attacks on automation, orchestration, and cloud-native environments.
By embracing CISA’s model—prioritizing risk, acting on reliable intelligence, collaborating across teams, and never underestimating mundane flaws—organizations can stay ahead of the most active cyber threats. The question isn’t if these vulnerabilities will be weaponized, but for how long they’ll go unpatched. In the race between attackers and defenders, speed and vigilance are everything.
Source: www.cisa.gov CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
Understanding the New Additions: CVE-2025-24472 and CVE-2025-30066
CISA’s latest update highlights two distinct vulnerabilities, each affecting widely used digital infrastructure:- CVE-2025-24472 – Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability: This flaw allows attackers to circumvent authentication mechanisms in some of the industry’s most trusted network devices. By successfully exploiting this vulnerability, a malicious actor could potentially gain unauthorized access, undermine perimeter defenses, and move laterally within an organization’s infrastructure.
- CVE-2025-30066 – tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability: This is a case of supply chain risk, targeting automated workflows on GitHub. The vulnerability allows attackers to inject malicious code into CI/CD pipelines, threatening the integrity not just of a single application, but of the software supply chain at large.
The Significance of the Known Exploited Vulnerabilities Catalog
Established by Binding Operational Directive (BOD) 22-01, CISA’s Known Exploited Vulnerabilities Catalog is not an ordinary vulnerability registry. While many databases track vulnerabilities across the IT landscape, this catalog focuses exclusively on those with evidence of exploitation. In other words, if a vulnerability appears in this list, it’s because malicious actors are actively using it as an attack vector.This living list is particularly significant for its scope and implications. It covers not only widely publicized CVEs but also those that may fly under the radar, lacking major headlines yet still representing clear and present dangers. The catalog is curated with the understanding that even vulnerabilities with moderate severity scores can be weaponized when overlooked.
Federal Mandates and the Wider Cybersecurity Community
BOD 22-01 specifically mandates that “Federal Civilian Executive Branch (FCEB)” agencies must remediate catalogued vulnerabilities by their specified due dates. This underscores CISA’s authority in advancing security hygiene across U.S. government networks—a task made more urgent with each newly identified threat.But the implications go far beyond public sector organizations. Although BOD 22-01 is a binding directive only for federal agencies, CISA “strongly urges all organizations” to regularly consult the Known Exploited Vulnerabilities Catalog and prioritize remediation. The rationale is clear: cyber attackers don’t discriminate between public and private sector targets, and the speed with which new exploits are weaponized leaves little room for complacency.
The Anatomy of a Modern Attack: Why These Vulnerabilities Matter
The Rise of Authentication Bypass Incidents
Network devices have long been at the frontline of organizational cybersecurity. Fortinet’s FortiOS and FortiProxy platforms are widely trusted for their robust security features, making them attractive targets for attackers. An authentication bypass—like that described in CVE-2025-24472—is particularly worrisome because it allows adversaries to sidestep the very controls designed to keep networks secure.By leveraging authentication bypass flaws, attackers often gain higher privileges than they would through phishing or brute-force attacks. Once inside, they can disable logs, move laterally, and establish long-term persistence—all without triggering usual alarms.
The Software Supply Chain: New Battleground
With modern development environments increasingly reliant on automated processes and third-party code, supply chain attacks have surged. CVE-2025-30066’s compromise of the tj-actions/changed-files GitHub Action demonstrates how attackers can infiltrate workflows at the coding and build stage.Inserting malicious code into CI/CD pipelines undermines trust not just in a single project, but in all the future deployments, updates, and downstream dependencies that might incorporate tainted code. This class of risk is particularly insidious: organizations may ship compromised applications for months—or years—before the breach is discovered.
Vulnerability Management: More Than Patching
Guided by CISA’s updates, savvy organizations appreciate that vulnerability management is not simply a matter of patching software when updates appear. It’s a continuous, risk-based process that blends asset inventory, prioritization, testing, and validation.CISA’s advisory notes that vulnerabilities like those added this week are “frequent attack vectors for malicious cyber actors and pose significant risks.” The true impact often depends on how quickly and thoroughly IT teams can identify systems at risk, apply remediations, and verify their effectiveness.
Beyond the Public Sector: Universal Best Practices
Though CISA cannot mandate action outside of FCEB agencies, its recommendations have weighty implications for every organization. The practical advice is clear and relevant regardless of sector:- Monitor authoritative sources (like the Known Exploited Vulnerabilities Catalog) in real-time.
- Prioritize remediation of actively exploited vulnerabilities—not all security flaws are equally urgent.
- Incorporate vulnerability intelligence into compliance checks, change management, and security awareness training.
- Establish clear escalation and response protocols for high-severity CVEs.
Hidden Risks and Unseen Threats
Widespread coverage of zero-days and sophisticated supply chain compromises can create the impression that only dramatic, front-page vulnerabilities really matter. Yet CISA’s approach suggests otherwise: the real danger often lies in the intersection between unpatched “mundane” flaws and the ingenuity of attackers.Moreover, there is a hidden risk in underestimating operational complexity. Even with patches available, production environments, regulatory constraints, or business-critical uptime requirements can delay remediation. Each day a known exploited vulnerability persists is an open invitation to attackers.
Supply chain vulnerabilities, in particular, have a tendency to cascade. A compromise in a workflow used by hundreds of projects multiplies the risk across countless downstream systems—a chilling prospect for organizations that depend heavily on open-source or third-party automation.
The Role of IT and Security Leadership
CISA’s catalog updates serve as more than technical advisories; they represent a call to action for IT and security leaders. At a high level, leadership must:- Champion a risk-driven approach: Rather than react to every CVE, focus resources on vulnerabilities exploited in the wild.
- Support cross-team communication: Remediation is rarely a one-person show—coordination between security, operations, and compliance teams is critical.
- Invest in automation and monitoring: Manual vulnerability management cannot keep pace with the modern threat landscape.
- Engage proactively with incident response: Consider not just technical fixes, but broader business-continuity planning in case an exploit is detected on your network.
Strengths in the CISA Approach
A notable strength of the CISA model is its commitment to transparency and real-time threat intelligence sharing. Unlike more passive advisories, the Known Exploited Vulnerabilities Catalog operates as a dynamic, living document—reflecting the reality that the cyber threat landscape never stands still.CISA’s collaboration with both domestic and international cybersecurity agencies ensures faster identification of threats and more consistent guidance. Its willingness to amplify timely intelligence, even about third-party and open-source risks, is vital in a world where software interdependencies cross every border.
The fact that patches or workarounds are often identified and prioritized in tandem with catalog additions maximizes the chances that organizations can act swiftly—sometimes even before widespread damage occurs.
Criticisms and Structural Limitations
Yet no system is perfect. Some in the industry have pointed out limitations in scope—CISA’s catalog, by necessity, cannot track every new vulnerability, focusing only on those where exploitation is detected. This means some high-risk (but not yet actively exploited) flaws may escape urgent attention.Furthermore, while CISA can issue binding directives to FCEB agencies, it lacks enforcement power over other critical sectors including healthcare, energy, and finance. These industries must be proactive in voluntarily following best practices, raising the risk of inconsistent protections between organizations.
And while the catalog is continuously updated, the speed at which private vendors issue patches or make effective mitigations available can lag behind. This gap between threat identification and risk reduction highlights the importance of strong internal processes, asset management, and cyber resilience.
Looking Ahead: The Evolving Vulnerability Landscape
The addition of authentication bypass and supply-chain exploitation vulnerabilities to the CISA catalog reflects evolving attacker tactics. Today’s adversaries are just as skilled at exploiting overlooked network devices as they are at poisoning automated build systems.For years, IT professionals have juggled competing demands: patch rigorously, but don’t disrupt operations; automate, but monitor for novel attacks; rely on trusted vendors, but verify every update. As the modern attack surface expands, the frequency and sophistication of exploitation continues to grow.
Organizations would do well to anticipate that future catalog updates will continue to blend “traditional” device vulnerabilities with new-wave attacks on automation, orchestration, and cloud-native environments.
Takeaways for Every Windows Administrator and Security Professional
Whether managing Windows workstations, servers, or mixed-platform networks, the message is unmistakable: you must treat known, actively exploited vulnerabilities as fire alarms. Here’s what that looks like in practice:- Asset Awareness: Maintain a real-time inventory of network devices, software, and dependencies. Know what’s running and where.
- Continuous Monitoring: Subscribe to updates from CISA and related threat intelligence feeds.
- Automated Patch Management: Where feasible, automate update application and confirm success.
- Incident Preparedness: Proactively rehearse your organization’s response to the worst-case scenario—a known exploited vulnerability detected on your systems.
- Supply Chain Vigilance: Scrutinize build pipelines, integrations, and third-party tools. Every link is a potential weak point.
- Education and Communication: Keep end users and stakeholders informed about current threats and the critical nature of timely updates.
The Bottom Line: A Shared Cybersecurity Responsibility
The latest CISA alert is a potent reminder that in cybersecurity, urgency never sleeps. The Known Exploited Vulnerabilities Catalog is not just for federal compliance—it’s a frontline resource for all organizations invested in protecting their digital assets. From authentication bypasses threatening the perimeter to subtler supply chain attacks undermining the very heart of software delivery, every update should be an actionable event.By embracing CISA’s model—prioritizing risk, acting on reliable intelligence, collaborating across teams, and never underestimating mundane flaws—organizations can stay ahead of the most active cyber threats. The question isn’t if these vulnerabilities will be weaponized, but for how long they’ll go unpatched. In the race between attackers and defenders, speed and vigilance are everything.
Source: www.cisa.gov CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
