CISA Updates Known Exploited Vulnerabilities Catalog with Critical Flaws in ASUS, Craft CMS, and ConnectWise

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These include flaws in ASUS RT-AX55 devices, Craft CMS, and ConnectWise ScreenConnect. The update aims to alert organizations to address these security issues promptly.

Main Content

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with several critical flaws. The newly added vulnerabilities affect ASUS RT-AX55 devices, Craft CMS, and ConnectWise ScreenConnect, highlighting the urgent need for organizations to address these security risks¹.

Vulnerabilities Added to the Catalog

1. ASUS Routers
   • CVE-2021-32030: Improper Authentication Vulnerability
   • CVE-2023-39780: OS Command Injection Vulnerability
2. Craft CMS
   • CVE-2024-56145: Code Injection Vulnerability
   • CVE-2025-35939: External Control of Assumed-Immutable Web Parameter Vulnerability
3. ConnectWise ScreenConnect
   • CVE-2025-3935: Improper Authentication Vulnerability

ConnectWise Security Incident

ConnectWise recently reported suspicious activity linked to an advanced nation-state actor. The incident involved a small number of ScreenConnect customers and was potentially facilitated by the CVE-2025-3935 vulnerability. Although the exact exploitation method remains uncertain, ConnectWise has patched the issue for cloud-hosted instances².

ASUS RT-AX55 Vulnerability

The CVE-2023-39780 vulnerability in ASUS RT-AX55 devices has been exploited by the AyySSHush botnet, compromising over 9,000 routers. This command injection flaw allows attackers to execute arbitrary system commands, adding a persistent SSH backdoor. GreyNoise researchers found that the attackers exploit this flaw to maintain backdoor access across reboots and updates³.

CISA Directive and Recommendations

According to the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address these vulnerabilities by the specified due date to protect their networks. CISA has set a deadline of June 23, 2025, for federal agencies to fix these vulnerabilities⁴.

Private organizations are also advised to review the Catalog and ensure their infrastructure is secured against these threats.

Follow for More Updates

For the latest updates on cybersecurity news, follow:

• Twitter: @securityaffairs
• Facebook: Security Affairs
• Mastodon: @securityaffairs

For more details, visit the full article: source

Conclusion

The addition of these vulnerabilities to CISA’s KEV catalog underscores the importance of prompt action in addressing security flaws. Organizations must remain vigilant and proactive in patching these issues to safeguard their systems against potential attacks. Stay informed and take the necessary steps to protect your digital assets.

References

1. (2025). “CISA Adds Five Known Exploited Vulnerabilities Catalog”. CISA. Retrieved 2025-06-03. ↩︎

2. (2025). “ConnectWise Cyberattack by Sophisticated Nation-State Actor”. Security Affairs. Retrieved 2025-06-03. ↩︎

3. (2025). “New AyySSHush Botnet Compromises Over 9,000 ASUS Routers”. Security Affairs. Retrieved 2025-06-03. ↩︎

4. (2025). “Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities”. CISA. Retrieved 2025-06-03. ↩︎