Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

The U.S. CISA Adds Flaws to its Known Exploited Vulnerabilities Catalog: A Call for Vigilance in the Digital Realm



The U.S. CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including flaws in the Multi-Router Looking Glass (MRLG), PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite software. These additions underscore the ever-evolving threat landscape of the digital age and highlight the importance of vigilance in the face of emerging threats.

  • The US Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog to bolster federal agency security postures.
  • The newly added vulnerabilities include flaws in MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite software with high CVSS scores indicating a high level of severity.
  • CISA has set a deadline of July 28, 2025, for federal agencies to address these identified vulnerabilities to protect their networks against attacks.
  • Experts recommend that private organizations also review the catalog and address the vulnerabilities in their infrastructure to enhance cybersecurity.


    • In a recent development that underscores the ever-evolving threat landscape of the digital age, the United States Cybersecurity and Infrastructure Security Agency (CISA) has taken steps to bolster the security posture of federal agencies by adding four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The additions, which include flaws in the Multi-Router Looking Glass (MRLG), PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite software, are a stark reminder that no system is ever completely secure from the prying eyes of malicious actors.



    The inclusion of these four vulnerabilities in the KEV catalog represents a concerted effort by CISA to identify and address potential weaknesses in federal networks. According to information provided by the agency, the MRLG Buffer Overflow Vulnerability (CVE-2014-3931) has a CVSS score of 9.8, indicating a high level of severity. This vulnerability resides in the fastping.c component before version 5.5.0 and allows remote attackers to perform an arbitrary memory write, leading to memory corruption.



    Furthermore, CISA has also added the PHPMailer Command Injection Vulnerability (CVE-2016-10033) to its catalog. This vulnerability was discovered by notorious security expert Dawid Golunski from Legal Hackers and can be exploited by a remote unauthenticated attacker to execute arbitrary code in the context of the web server and compromise the target web application. The PHPMailer 5.2.18 release is the only version that is not affected by this vulnerability.



    Another addition to the KEV catalog is the Rails Ruby on Rails Path Traversal Vulnerability (CVE-2019-5418). This vulnerability affects multiple versions of the Action View component and allows an attacker to send specially crafted Accept headers that manipulate the way Action View resolves templates. This can trick the framework into rendering arbitrary files from the server’s filesystem, including secret configuration files, and /etc/passwd.



    The final addition to the KEV catalog is the Synacor Zimbra Collaboration Suite Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-9621). This vulnerability impacts Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3. The flaw allows SSRF via the ProxyServlet component.



    According to a Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Cybersecurity Executive Board (FCEB) agencies are required to address these identified vulnerabilities by July 28, 2025, to protect their networks against attacks exploiting the flaws in the catalog. Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.



    It is worth noting that CISA orders federal agencies to fix the vulnerabilities by July 28, 2025, underscoring the agency's commitment to ensuring the security of federal networks. This development highlights the importance of vigilance in the digital realm and serves as a reminder that no system is ever completely secure from the prying eyes of malicious actors.



    As the threat landscape continues to evolve at an unprecedented pace, it is essential for organizations and individuals alike to remain vigilant and proactive in their approach to cybersecurity. By staying informed about emerging threats and vulnerabilities, we can work together to create a more secure digital environment for all.




    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-US-CISA-Adds-Flaws-to-its-Known-Exploited-Vulnerabilities-Catalog-A-Call-for-Vigilance-in-the-Digital-Realm-ehn.shtml

  • https://securityaffairs.com/179722/hacking/u-s-cisa-adds-mrlg-phpmailer-rails-ruby-on-rails-and-synacor-zimbra-collaboration-suite-flaws-to-its-known-exploited-vulnerabilities-catalog.html

  • https://nvd.nist.gov/vuln/detail/CVE-2014-3931

  • https://www.cvedetails.com/cve/CVE-2014-3931/

  • https://nvd.nist.gov/vuln/detail/CVE-2016-10033

  • https://www.cvedetails.com/cve/CVE-2016-10033/

  • https://nvd.nist.gov/vuln/detail/CVE-2019-5418

  • https://www.cvedetails.com/cve/CVE-2019-5418/

  • https://nvd.nist.gov/vuln/detail/CVE-2019-9621

  • https://www.cvedetails.com/cve/CVE-2019-9621/


    • Published: Tue Jul 8 10:26:58 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us