180/68 Monday, May 19, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after confirming they are being actively exploited. These include flaws in Google Chromium, DrayTek Vigor routers, and SAP NetWeaver.
Details of the vulnerabilities:
- CVE-2024-12987 (CVSS 7.3):
An OS Command Injection vulnerability in DrayTek Vigor2960 and Vigor300B routers (firmware v1.5.1.4) that allows unauthenticated remote attackers to execute arbitrary commands via the Web UI by manipulating the session parameter. - CVE-2025-4664 (CVSS 4.3):
A security enforcement flaw in the Loader component of Google Chromium, affecting Chrome versions prior to 136.0.7103.113. This vulnerability allows remote attackers to perform cross-origin data access via a single HTML page. The issue was discovered by security researcher Vsevolod Kokorin (@slonser_), and Google has confirmed that a public exploit is already available. - CVE-2025-42999 (CVSS 9.1):
A deserialization vulnerability in SAP NetWeaver Visual Composer that allows authenticated users to upload malicious content. Exploiting this flaw can compromise the confidentiality, integrity, and availability of the affected systems.
CISA emphasized that mitigating KEV-listed vulnerabilities is crucial for reducing cyber risk and has urged both government and private sector organizations to assess and remediate these issues as a priority. Federal Civilian Executive Branch (FCEB) agencies are required to patch all listed vulnerabilities by June 5, 2025, in accordance with Binding Operational Directive (BOD) 22-01.
