Post

CISA Updates Known Exploited Vulnerabilities Catalog with Critical Flaws in Google Chromium, DrayTek Routers, and SAP NetWeaver

Discover the latest vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog, including critical flaws in Google Chromium, DrayTek routers, and SAP NetWeaver. Learn about the impact and necessary actions for federal agencies and private organizations.

Posted
By Vitus White
2 min read
CISA Updates Known Exploited Vulnerabilities Catalog with Critical Flaws in Google Chromium, DrayTek Routers, and SAP NetWeaver

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities in Google Chromium, DrayTek routers, and SAP NetWeaver to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must address these vulnerabilities by June 5, 2025, to protect against potential attacks. Private organizations are also advised to review and mitigate these risks in their infrastructure.

Main Content

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities in Google Chromium, DrayTek routers, and SAP NetWeaver to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities pose significant risks to both federal agencies and private organizations.

Identified Vulnerabilities

  1. CVE-2024-12987 (CVSS score of 7.3) - DrayTek Vigor Routers OS Command Injection Vulnerability
    • Affects: DrayTek Vigor2960 and Vigor300B (v1.5.1.4)
    • Description: A critical OS command injection flaw allows remote attacks through the session parameter via the Web UI.
    • CVE-2024-12987
  2. CVE-2025-4664 (CVSS score of 4.3) - Google Chromium Loader Insufficient Policy Enforcement Vulnerability
    • Affects: Google Chrome prior to 136.0.7103.113
    • Description: Discovered by security researcher Vsevolod Kokorin (@slonser_), this vulnerability could lead to full account takeover. A remote attacker could exploit this flaw to leak cross-origin data via a crafted HTML page.
    • CVE-2025-4664
  3. CVE-2025-42999 (CVSS score of 9.1) - SAP NetWeaver Deserialization Vulnerability
    • Affects: SAP NetWeaver Visual Composer
    • Description: This flaw allows privileged users to upload malicious content, risking system confidentiality, integrity, and availability.
    • CVE-2025-42999

Mitigation Measures

According to the Binding Operational Directive (BOD) 22-01, federal agencies must address these vulnerabilities by the specified due date to protect their networks. CISA has set a deadline of June 5, 2025, for federal agencies to fix these vulnerabilities.

Private organizations are also strongly advised to review the KEV catalog and take necessary actions to mitigate these vulnerabilities in their infrastructure.

Follow for Updates

For the latest updates and more information, follow:

For more details, visit the full article: source

Conclusion

The addition of these vulnerabilities to CISA’s KEV catalog underscores the ongoing need for vigilance in cybersecurity. Both federal agencies and private organizations must prioritize addressing these critical flaws to safeguard their systems against potential exploits. Staying informed and proactive in mitigating such risks is essential in today’s evolving threat landscape.

Additional Resources

For further insights, check:

Cybersecurity&Data Protection, Vulnerabilities
cybersecurity threat intelligence browser security
This post is licensed under CC BY 4.0 by the author.