CISA adds two vulnerabilities to its catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has incorporated two vulnerabilities into its Known Exploited Vulnerabilities (KEV) Catalog, following evidence of active exploitation. This update is pertinent for IT decision-makers concerning cybersecurity practices.

Vulnerabilities Identified

Two new vulnerabilities have been recognized by CISA. The first is identified as CVE-2020-24363, which pertains to a security loophole in the TP-link TL-WA855RE related to missing authentication for critical functions.

The second is CVE-2025-55177, associated with WhatsApp, a product of Meta Platforms, highlighting incorrect authorization vulnerabilities.

Implications for Federal Agencies

These vulnerabilities represent common attack vectors exploited by cyber criminals and may pose risks to federal entities. According to the Binding Operational Directive (BOD) 22-01, the KEV Catalog serves as an ongoing inventory of Common Vulnerabilities and Exposures (CVE) (CVEs) necessitating prompt remediation to mitigate active threats.

While BOD 22-01 applies specifically to Federal Civilian Executive Branch (FCEB) agencies, CISA recommends all organizations actively manage their cybersecurity by addressing KEV Catalog vulnerabilities efficiently. Continued updates to the catalog will occur as new vulnerabilities are identified that meet established criteria.

Conclusion

This development underscores the importance of ongoing vigilance in vulnerability management practices. CISA’s addition of these vulnerabilities to the KEV Catalog emphasizes the need for proactive measures in cybersecurity. This summary reflects a timely, fact-based overview of CISA's recent blog update.