Ethical Hacking News
U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities to its Known Exploited Vulnerabilities catalog, urging prompt attention from federal agencies and private organizations alike.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. A critical vulnerability, CVE-2024-12987, in DrayTek Vigor Routers allows for remote attacks via the Web UI with a CVSS score of 7.3. Google Chromium's CVE-2025-4664 has a high risk of full account takeover due to insufficient policy enforcement in the Loader prior to version 136.0.7103.113. SAP NetWeaver's CVE-2025-42999 poses risks to system confidentiality, integrity, and availability through deserialization vulnerabilities. Federal agencies have a deadline of June 5, 2025, to address the added vulnerabilities and private organizations are strongly recommended to patch these vulnerabilities immediately.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a multitude of vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the importance of immediate attention from federal agencies and private organizations alike. The addition of Google Chromium, DrayTek routers, and SAP NetWeaver flaws to the KEV catalog serves as a stark reminder of the ever-evolving threat landscape in the realm of cybersecurity.
Among these newly added vulnerabilities, one of the most critical is the CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability, which boasts a CVSS score of 7.3. This particular flaw allows for remote attacks through the session parameter via the Web UI, rendering it an extremely serious vulnerability that can have far-reaching consequences.
Furthermore, Google Chromium's CVE-2025-4664 Loader Insufficient Policy Enforcement Vulnerability holds significant concern due to its potential for full account takeover. As noted by security researcher Vsevolod Kokorin (@slonser_), this vulnerability stems from insufficient policy enforcement in the Loader of Google Chrome prior to version 136.0.7103.113, thereby creating an exploitable pathway for remote attackers to leak cross-origin data via a carefully crafted HTML page.
In addition, SAP NetWeaver's CVE-2025-42999 Deserialization Vulnerability presents another pressing concern due to its potential to risk system confidentiality, integrity, and availability. This flaw allows privileged users to upload malicious content, thereby enabling an adversary to pose significant risks to the overall security posture of systems utilizing SAP NetWeaver Visual Composer.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have been mandated by CISA to address these identified vulnerabilities by their respective due dates in order to protect networks against attacks exploiting the flaws listed within the KEV catalog. Experts also strongly recommend that private organizations review the KEV catalog and take immediate action to patch these vulnerabilities in their infrastructure.
CISA has set a deadline of June 5, 2025, for federal agencies to address the added vulnerabilities, thereby underscoring the urgent nature of this situation. The prompt implementation of security patches and measures is crucial in safeguarding against potential cyber threats and mitigating the risk of data breaches or other malicious activities.
In conclusion, the recent additions to CISA's KEV catalog serve as a stark reminder of the ever-present threat landscape in the realm of cybersecurity. It is imperative that both federal agencies and private organizations take immediate action to address these newly added vulnerabilities, thereby ensuring the continued security and integrity of their respective networks.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Adds-Multiple-Vulnerabilities-to-Known-Exploited-Vulnerabilities-Catalog-Urges-Prompt-Action-ehn.shtml
https://securityaffairs.com/177962/hacking/u-s-cisa-adds-google-chromium-draytek-routers-and-sap-netweaver-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2024-12987
https://www.cvedetails.com/cve/CVE-2024-12987/
https://nvd.nist.gov/vuln/detail/CVE-2025-4664
https://www.cvedetails.com/cve/CVE-2025-4664/
https://nvd.nist.gov/vuln/detail/CVE-2025-42999
https://www.cvedetails.com/cve/CVE-2025-42999/
Published: Sat May 17 04:29:25 2025 by llama3.2 3B Q4_K_M
