CISA Adds Critical Flaws in CrushFTP, Google Chromium, and SysAid to Known Exploited Vulnerabilities Catalog
TL;DR
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities in CrushFTP, Google Chromium, and SysAid to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, which have been actively exploited, pose significant security risks and require immediate attention from both federal agencies and private organizations. The identified vulnerabilities include issues such as unprotected alternate channels in CrushFTP, improper input validation in Google Chromium, and XML external entity reference flaws in SysAid. Federal agencies are mandated to address these vulnerabilities by August 12, 2025, to protect their networks against potential attacks.
CISA Updates Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added several critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The updates include flaws in CrushFTP, Google Chromium, and SysAid, which have been actively exploited in the wild.
Identified Vulnerabilities
The newly added vulnerabilities are:
- CVE-2025-54309: CrushFTP Unprotected Alternate Channel Vulnerability
- CVE-2025-6558: Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
- CVE-2025-2776: SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
- CVE-2025-2775: SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
Details of the Vulnerabilities
CrushFTP Zero-Day Exploit
CrushFTP recently warned of a zero-day vulnerability, tracked as CVE-2025-54309 (CVSS score of 9.0), which has been actively exploited since July 18 via HTTPS. This flaw in the managed file transfer software allows attackers to gain administrative privileges on vulnerable servers. The exploit involves reversing older code to take advantage of a bug that was previously patched in versions released before July 1.
Google Chromium Flaw
Last week, Google released fixes for six Chrome vulnerabilities, including one actively exploited flaw tracked as CVE-2025-6558 (CVSS score of 8.8). This vulnerability stems from improper validation of untrusted input in Chrome’s ANGLE and GPU components. The issue was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) on June 23, 2025. Google’s TAG team investigates attacks by nation-state actors and commercial spyware vendors, indicating that this vulnerability was likely exploited by one of these threat actors1.
SysAid Vulnerabilities
Three critical flaws (CVEs 2025-2775, CVEs 2025-2776, CVEs 2025-2777) in SysAid’s on-prem software could allow attackers to take over admin accounts or read server files via unsafe XML input. When chained with a previous bug (CVE-2024-36394), these vulnerabilities may enable remote code execution. SysAid addressed these issues in version 24.4.60 build 16, released in March 2025.
Mandatory Actions for Federal Agencies
According to the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address the identified vulnerabilities by the specified due date to protect their networks against potential attacks. CISA has ordered federal agencies to fix these vulnerabilities by August 12, 2025.
Recommendations for Private Organizations
Private organizations are also strongly advised to review the KEV Catalog and address any vulnerabilities in their infrastructure to mitigate potential risks.
Conclusion
The addition of these vulnerabilities to CISA’s KEV catalog underscores the ongoing need for vigilance and proactive security measures. Both federal agencies and private organizations must act swiftly to address these flaws and safeguard their systems against potential exploits.
References
For more details, visit the full article: source.
-
Security Affairs (2025). “U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog”. Retrieved 2025-07-24. ↩︎