The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert, adding four high-risk security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities are being actively exploited in the wild, posing serious threats to systems if left unpatched.
CISA’s KEV catalog is a vital reference used by federal and private organizations to prioritize vulnerability remediation. The latest additions underscore the urgency of maintaining strong patch management practices and securing legacy systems.
Below are the four vulnerabilities CISA added to the KEV list on July 8, 2025:
1. CVE-2014-3931 – Multi-Router Looking Glass (MRLG) Buffer Overflow
CVSS Score: 9.8 (Critical)
This vulnerability exists in Multi-Router Looking Glass (MRLG), a tool often used by network administrators to inspect BGP routes and diagnose routing issues. The flaw allows remote attackers to perform arbitrary memory writes, potentially leading to memory corruption and execution of malicious code.
2. CVE-2016-10033 – PHPMailer Command Injection
CVSS Score: 9.8 (Critical)
PHPMailer is a widely used library for sending emails in PHP applications. This vulnerability enables attackers to inject commands into email headers, which could result in remote code execution (RCE) or even denial-of-service (DoS). Since PHPMailer is embedded in numerous platforms, the risk of widespread exploitation is high if not patched.
3. CVE-2019-5418 – Ruby on Rails Path Traversal
CVSS Score: 7.5 (High)
A flaw in Ruby on Rails’ Action View component makes it possible for attackers to perform path traversal attacks, allowing them to read arbitrary files from the target server. This could lead to data leakage, exposing sensitive configurations or credentials.
4. CVE-2019-9621 – Zimbra SSRF Vulnerability
CVSS Score: 7.5 (High)
Zimbra Collaboration Suite is a popular email and collaboration platform. This server-side request forgery (SSRF) vulnerability allows attackers to access internal resources and, in some cases, achieve remote code execution.
Trend Micro previously linked exploitation of this flaw to Earth Lusca, a China-based advanced persistent threat (APT) group. The group reportedly used the flaw to deploy web shells and Cobalt Strike beacons, making it a weapon for targeted cyber-espionage.
Given the active exploitation of these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates no later than July 28, 2025. This directive is part of CISA’s Binding Operational Directive (BOD) 22-01, which mandates federal entities to fix known exploited bugs swiftly to reduce risk exposure.
Citrix Bleed 2 Also Under Attack
In a parallel development, cybersecurity researchers have confirmed active exploitation of CVE-2025-5777, a vulnerability dubbed “Citrix Bleed 2.” This flaw affects Citrix NetScaler ADC, a widely deployed application delivery controller used in enterprise environments.
Researchers from watchTowr Labs and Horizon3.ai warn that attackers are exploiting this vulnerability to read sensitive memory data, including:
-
Session tokens
-
User credentials
-
HTTP request data
-
Potentially exploitable information
According to watchTowr’s CEO Benjamin Harris, both CVE-2025-5777 and CVE-2025-6543 are being exploited in real-world scenarios.
The flaw lies in how the snprintf function is used along with the format string %.*s. Here’s how the attack works:
-
Attackers send a crafted HTTP request to the endpoint
/p/u/doAuthentication.do. -
By omitting an
=in theloginparameter (e.g.,logininstead oflogin=user), attackers trigger the system to leak about 127 bytes of stack memory. -
Repeating this request multiple times allows hackers to collect more memory fragments, increasing the chances of harvesting valuable data.
This behavior results from the %.*s format string, which prints a specific number of characters or stops at a null byte. With each attack, a new piece of uninitialized stack memory is added to the response, slowly leaking sensitive information.
To stay secure, organizations — especially those operating federal systems — should:
-
Patch all systems affected by the newly listed KEVs immediately
-
Monitor Citrix NetScaler logs for unusual activity tied to
/doAuthentication.do -
Apply updates for CVE-2025-5777 and CVE-2025-6543
-
Implement application-layer protections like WAFs to filter malformed requests
-
Conduct a full system audit to ensure there are no existing backdoors or web shells installed through past exploit attempts
These alerts from CISA and independent researchers highlight the increasing speed of vulnerability exploitation in today’s threat landscape. With legacy vulnerabilities from as early as 2014 now being weaponized, it’s clear that old, unpatched systems are low-hanging fruit for attackers.
Cybersecurity teams must not only respond to emerging zero-day threats but also remain vigilant about older, known flaws. Incorporating tools like vulnerability scanners, automated patch management, and intrusion detection systems is no longer optional — it’s essential.
Interesting Article : CVE-2025-6463, Critical Forminator Plugin Flaw Puts 600,000 WordPress Sites at Risk
Pingback: AMD Warns of TSA Side-Channel Attacks Impacting Ryzen and EPYC CPUs