CISA Updates Catalog with Two Newly Exploited Vulnerabilities

TL;DR

The Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2025-24201 and CVE-2025-21590. These vulnerabilities pose significant risks to federal and private organizations, emphasizing the need for urgent remediation to protect against cyber threats.

Introduction

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities Catalog with two new entries. This catalog is a crucial resource for identifying and mitigating vulnerabilities that are actively being exploited by cyber threats. The newly added vulnerabilities are:

• CVE-2025-24201: Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability
• CVE-2025-21590: Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability

These vulnerabilities are critical as they are frequent attack vectors for malicious cyber actors, posing significant risks to both federal and private sector organizations.

Understanding the Vulnerabilities

CVE-2025-24201

This vulnerability affects multiple Apple products and is related to an out-of-bounds write issue in WebKit. Exploitation of this vulnerability can lead to arbitrary code execution, allowing attackers to gain control over affected systems.

CVE-2025-21590

This vulnerability affects Juniper’s Junos OS and is caused by improper isolation or compartmentalization. Successful exploitation can result in unauthorized access to sensitive information or disruption of network services.

Importance of Timely Remediation

The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies must address these vulnerabilities by the specified due dates. This directive aims to reduce the significant risk posed by known exploited vulnerabilities, thereby safeguarding federal networks against active threats.

Key Points of BOD 22-01

• Mandatory Remediation: FCEB agencies are required to remediate the identified vulnerabilities to protect their networks.
• Living List: The catalog serves as a living list of known CVEs that present significant risks.
• Broad Application: Although BOD 22-01 specifically applies to FCEB agencies, CISA strongly recommends that all organizations prioritize the remediation of these vulnerabilities as part of their vulnerability management practices.

Recommendations for Organizations

To mitigate the risks associated with these vulnerabilities, organizations should:

• Prioritize Remediation: Immediately address the vulnerabilities listed in the catalog to prevent potential exploitation.
• Regular Updates: Keep systems and software up-to-date with the latest security patches.
• Vulnerability Management: Implement a robust vulnerability management program that includes regular scanning, assessment, and remediation of vulnerabilities.

Conclusion

The addition of CVE-2025-24201 and CVE-2025-21590 to CISA’s Known Exploited Vulnerabilities Catalog underscores the importance of proactive cybersecurity measures. Organizations must remain vigilant and responsive to emerging threats to protect their systems and data from malicious actors. By following CISA’s guidelines and prioritizing timely remediation, both federal and private sector entities can significantly reduce their exposure to cyber risks.

Additional Resources

For further insights, check:

• CISA Known Exploited Vulnerabilities Catalog
• BOD 22-01 Fact Sheet
• CVE-2025-24201 Details
• CVE-2025-21590 Details