CISA Adds Four New Vulnerabilities to Known Exploited Vulnerabilities Catalog

TL;DR

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting the urgent need for organizations to prioritize remediation efforts. These vulnerabilities, which include issues in CrushFTP, Google Chromium, and SysAid On-Prem, pose significant risks to federal and private sector entities. The update underscores the importance of proactive cybersecurity measures to mitigate potential threats.

CISA Updates Known Exploited Vulnerabilities Catalog with Four New Entries

The Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. These vulnerabilities represent critical attack vectors frequently used by malicious cyber actors, posing significant risks to federal and private sector entities.

Newly Added Vulnerabilities

1. CVE-2025-54309: CrushFTP Unprotected Alternate Channel Vulnerability
2. CVE-2025-6558: Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
3. CVE-2025-2776: SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
4. CVE-2025-2775: SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability

These vulnerabilities highlight the ongoing need for vigilant cybersecurity practices to mitigate potential threats.

Binding Operational Directive (BOD) 22-01

The Binding Operational Directive (BOD) 22-01 established the KEV Catalog as a dynamic list of known Common Vulnerabilities and Exposures (CVEs) that pose substantial risks to federal entities. BOD 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate identified vulnerabilities by the specified due dates to safeguard against active threats. For more details, refer to the BOD 22-01 Fact Sheet.

Recommendations for All Organizations

Although BOD 22-01 specifically applies to FCEB agencies, CISA strongly recommends that all organizations prioritize the timely remediation of KEV Catalog vulnerabilities as a critical component of their vulnerability management practices. CISA will continue to update the catalog with vulnerabilities that meet the specified criteria.

For more information, visit the full article: CISA Adds Four Known Exploited Vulnerabilities to Catalog.

Conclusion

The addition of these four vulnerabilities to the KEV Catalog serves as a reminder of the ever-evolving landscape of cyber threats. Organizations must remain proactive in their cybersecurity efforts, ensuring timely remediation and robust defense mechanisms to protect against potential exploits. By adhering to CISA’s guidelines and prioritizing the remediation of known vulnerabilities, entities can significantly reduce their exposure to cyber attacks.

Additional Resources

For further insights, check:

• CISA Known Exploited Vulnerabilities Catalog
• Binding Operational Directive (BOD) 22-01
• BOD 22-01 Fact Sheet