The United States Cybersecurity and Infrastructure Security Agency has expanded its Known Exploited Vulnerabilities catalog after confirming active exploitation of multiple security flaws observed in real world attacks. On Monday, the agency added four vulnerabilities to the list, warning organizations that these weaknesses pose immediate risks if left unpatched. The move reflects continued concerns around long standing flaws being reused by threat actors and highlights the importance of timely remediation even for older software components that remain in use across enterprise environments.
According to CISA, the newly added vulnerabilities include CVE 2014 3931, a high severity buffer overflow issue in Multi Router Looking Glass that could allow remote attackers to trigger arbitrary memory writes and cause memory corruption. Also included is CVE 2016 10033, a critical command injection vulnerability in PHPMailer that may enable attackers to execute arbitrary code within the application context or trigger denial of service conditions. The third flaw, CVE 2019 5418, affects Ruby on Rails Action View and allows path traversal that could expose contents of arbitrary files on the underlying system. The fourth vulnerability, CVE 2019 9621, impacts Zimbra Collaboration Suite and involves a server side request forgery weakness that can lead to unauthorized access to internal resources and potential remote code execution. While public reporting on active exploitation remains limited for the first three flaws, previous research has linked abuse of CVE 2019 9621 to a China linked threat actor identified as Earth Lusca, which used the weakness to deploy web shells and Cobalt Strike tooling during campaigns observed in 2023.
In response to the confirmed exploitation, CISA has advised Federal Civilian Executive Branch agencies to apply the required updates by July 28 2025 to secure their networks. The recommendation aligns with the agency’s broader mandate to reduce exposure to known attack paths that are actively leveraged by adversaries. Although the directive directly applies to federal agencies, security professionals have noted that similar systems deployed in private sector environments face comparable risks if patches are delayed. The addition of these vulnerabilities to the KEV catalog serves as a signal to organizations globally that exploitation is not theoretical and that remediation should be prioritized as part of routine vulnerability management programs.
The update from CISA coincides with new technical findings related to critical flaws in Citrix NetScaler ADC that are also seeing active exploitation. Security researchers from watchTowr Labs and Horizon3.ai have released detailed analyses of CVE 2025 5777, also known as Citrix Bleed 2, along with CVE 2025 6543. According to watchTowr, attackers are exploiting these flaws to read sensitive memory contents including credentials and valid Citrix session tokens. The issue allows specially crafted login requests sent to specific authentication endpoints to reflect user supplied data in responses regardless of authentication success. Horizon3.ai explained that by manipulating the login parameter in HTTP requests, attackers could leak small chunks of memory data repeatedly, eventually extracting valuable information. watchTowr attributed the flaw to improper use of the snprintf function with specific format strings that cause uninitialized stack data to be disclosed incrementally. These findings have reinforced concerns around perimeter infrastructure exposure and the cascading impact such vulnerabilities can have when exploited at scale.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
