CISA Adds New CVEs to Known Exploited Vulnerabilities Catalog

CISA KEV catalog cybersecurity vulnerabilities Adminer CVE Cisco IOS CVE Fortra GoAnywhere MFT Libraesva ESG Sudo vulnerabilities
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 2, 2025 3 min read

U.S. CISA Adds Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included several critical vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog. These include flaws in Adminer, Cisco IOS, Fortra GoAnywhere MFT, Libraesva ESG, and Sudo.

CISA

Adminer Vulnerability

  • CVE-2021-21311: This vulnerability allows server-side request forgery, enabling remote attackers to access potentially sensitive information.
  • Action: Apply mitigations as per vendor instructions and follow applicable BOD 22-01 guidance.

Cisco IOS Vulnerability

  • CVE-2025-20352: A stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem.
  • This flaw can lead to remote code execution or denial of service.
  • Action: Apply mitigations as per vendor instructions and follow applicable BOD 22-01 guidance.

Fortra GoAnywhere MFT Vulnerability

  • CVE-2025-10035: This vulnerability involves deserialization of untrusted data, allowing execution of arbitrary commands on affected systems.
  • Action: Users should upgrade to a patched version (latest release 7.8.4).
  • Additional details can be found in the Fortra Advisory.

Libraesva ESG Vulnerability

  • CVE-2025-59689: A command injection vulnerability exploited by nation-state actors through specially crafted compressed attachments.
  • This flaw allows attackers to execute arbitrary commands as a non-privileged user.
  • Action: Users should upgrade to the latest version of Libraesva ESG.
  • More information can be found in the Libraesva advisory.

Sudo Vulnerabilities

  • CVE-2025-32463: This vulnerability allows local users to escalate privileges to root on affected systems.
  • Action: Users should apply mitigations as per vendor recommendations and follow applicable BOD 22-01 guidance.
  • Additional details are available in the Sudo security advisory.

Libraesva ESG Zero-Day Exploit

The Libraesva Email Security Gateway (ESG) has been targeted by suspected state-sponsored attackers exploiting a zero-day vulnerability.

CVE-2025-59689 Details

  • This command injection vulnerability results from improper sanitization of code in compressed archive files.
  • Attackers can execute arbitrary shell commands using specially crafted emails.
  • The vulnerability affects versions from 4.5 to 5.5.
  • Fixes have been rolled out for the 5.x branches via automatic updates.
  • For 4.x users, a manual upgrade to a fixed 5.x version is required as 4.x is no longer supported.

Response to Exploit

Libraesva has confirmed that their security team is analyzing details of the attack and has rolled out an emergency security update. They emphasize the importance of rapid patch deployment due to the precision of the threat actor believed to be a foreign state.

Threat Actors Chaining Vulnerabilities in Ivanti CSA

CISA and the FBI have issued a joint advisory regarding multiple vulnerabilities in Ivanti Cloud Service Applications (CSA) that were exploited in September 2024.

Vulnerabilities Overview

The vulnerabilities include:

  • CVE-2024-8963: An administrative bypass allowing remote access to restricted features.
  • CVE-2024-9379: SQL injection vulnerability.
  • CVE-2024-8190 and CVE-2024-9380: Remote code execution vulnerabilities.

Exploitation Details

Threat actors exploited these vulnerabilities in chains to gain initial access and conduct remote code execution, leading to credential theft and webshell implantation. The vulnerabilities affect Ivanti CSA version 4.6x and below.

Recommended Actions

  • Upgrade to the latest supported version of Ivanti CSA.
  • Monitor networks for malicious activity related to these vulnerabilities.

For comprehensive details, refer to the advisory on Ivanti CSA vulnerabilities.

Additional Vulnerabilities in Ivanti Cloud Services Application

Multiple vulnerabilities have been reported in Ivanti CSA that could lead to remote code execution, including:

  • CVE-2024-11639: An authentication bypass vulnerability.
  • CVE-2024-11772: Command injection vulnerability.
  • CVE-2024-11773: SQL injection vulnerability.

Risk Assessment

These vulnerabilities pose a high risk for large and medium entities and a medium risk for small businesses and home users.

Recommendations

  • Apply updates provided by Ivanti immediately.
  • Establish a vulnerability management process to address these risks.

For further information, please consult the Ivanti Security Advisory.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

React2Shell Vulnerability CVE-2025-55182: Exploitation Threats and Trends
React2Shell vulnerability

React2Shell Vulnerability CVE-2025-55182: Exploitation Threats and Trends

Critical React2Shell RCE vulnerability exploited by threat actors. Learn about attacker techniques, observed payloads like crypto miners, and how to protect your systems. Read now!

By Divyansh Ingle December 12, 2025 8 min read
Read full article
WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups
WinRAR vulnerability

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

CISA flags WinRAR CVE-2025-6218 as actively exploited. Learn about this path traversal flaw and how to protect your systems. Update now!

By Jim Gagnard December 11, 2025 3 min read
Read full article
Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers
malicious VSCode extensions

Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers

Beware of malicious VSCode extensions & device code phishing scams. Learn how these attacks steal credentials, capture screens, and hijack sessions. Protect yourself now!

By Alan V Gutnov December 10, 2025 6 min read
Read full article
PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure
BRICKSTORM malware

PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

Discover how PRC state actors are using BRICKSTORM malware to gain persistent access via VMware. Learn about its advanced evasion techniques and how to defend your systems. Read now!

By Divyansh Ingle December 9, 2025 3 min read
Read full article