CISA Updates Known Exploited Vulnerabilities Catalog with Two New Entries
TL;DR
The Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. The vulnerabilities include CVE-2025-32433 in Erlang/OTP SSH Server and CVE-2024-42009 in RoundCube Webmail. These additions highlight the ongoing risks to federal and private sector networks, emphasizing the need for timely remediation.
CISA Adds New Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its [Known Exploited Vulnerabilities (KEV) Catalog][1] with two new entries based on evidence of active exploitation. These vulnerabilities pose significant risks to federal and private sector networks, underscoring the importance of timely remediation efforts.
Newly Added Vulnerabilities
- CVE-2025-32433: This vulnerability affects the Erlang/OTP SSH Server, specifically a missing authentication for critical function issue.
- CVE-2024-42009: This vulnerability involves a cross-site scripting (XSS) issue in RoundCube Webmail.
Implications and Mitigation Strategies
These types of vulnerabilities are frequently targeted by malicious cyber actors, presenting substantial risks to federal enterprises. To address these threats, CISA established the KEV Catalog as part of [Binding Operational Directive (BOD) 22-01][2]. This directive mandates Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by specified due dates, thereby safeguarding FCEB networks against active threats.
Although BOD 22-01 is specifically aimed at FCEB agencies, CISA strongly recommends that all organizations prioritize the timely remediation of [KEV Catalog vulnerabilities][3] as part of their vulnerability management practices. This proactive approach helps reduce exposure to cyberattacks and enhances overall cybersecurity posture.
Ongoing Efforts by CISA
CISA will continue to update the catalog with vulnerabilities that meet the [specified criteria][4], ensuring that the list remains a dynamic and relevant resource for cybersecurity professionals. By staying informed and taking prompt action, organizations can better protect themselves against evolving cyber threats.
For more details, visit the full article: [CISA Adds Two Known Exploited Vulnerabilities to Catalog][5].
Conclusion
The addition of CVE-2025-32433 and CVE-2024-42009 to the KEV Catalog highlights the continuous need for vigilance and proactive measures in cybersecurity. Organizations must stay updated with the latest vulnerabilities and implement timely remediation strategies to safeguard their networks against potential threats.
Additional Resources
For further insights, check:
- [CISA Known Exploited Vulnerabilities Catalog][1]
- [Binding Operational Directive (BOD) 22-01][2]
- [BOD 22-01 Fact Sheet][6]