CISA updates KEV catalog with two vulnerabilities

D-Link routers and Array Networks ArrayOS AG are affected by a buffer overflow and a command injection vulnerability, respectively, and both entries have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation.

The advisory identifies CVE-2022-37055 as a buffer overflow vulnerability affecting D-Link routers and CVE-2025-66644 as an Array Networks ArrayOS AG Operating System (OS) command injection vulnerability; these two Common Vulnerabilities and Exposures (CVE) identifiers are the items newly listed in the KEV Catalog.

The advisory states that such vulnerabilities are frequent attack vectors for malicious cyber actors and pose risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01 established the KEV Catalog as a living list of CVE (CVEs) that carry risk to the federal enterprise and requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks.

Although BOD 22-01 applies only to FCEB agencies, the advisory urges all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice and states that CISA will continue to add vulnerabilities that meet the specified criteria.