CISA adds two vulnerabilities to its KEV Catalog

CISA has introduced two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, which are associated with active exploitation. This development holds importance for IT decision-makers tasked with managing cybersecurity risks.

Vulnerability Details

The first vulnerability is identified as CVE-2025-32433, which affects the Erlang/OTP Secure Shell (SSH) server. It is categorized as a Missing Authentication for Critical Function vulnerability.

The second vulnerability, CVE-2024-42009, pertains to a Cross-Site Scripting (XSS) vulnerability in RoundCube Webmail. Both vulnerabilities are potential targets for cyber actors looking to exploit weaknesses.

Context and Recommendations

Vulnerabilities like these are common avenues for cyberattacks and represent notable risks to federal operations. The Binding Operational Directive (BOD) 22-01 emphasizes the importance of the KEV Catalog and mandates that Federal Civilian Executive Branch (FCEB) agencies address vulnerabilities by specified dates to safeguard their networks.

While BOD 22-01 is aimed at FCEB agencies, CISA advises all organizations to minimize their vulnerability to cyber threats by ensuring prompt remediation of KEV Catalog entries. Vulnerabilities will continue to be updated in the catalog as they meet established criteria.

Conclusion

This update from CISA highlights the ongoing efforts to manage and reduce cybersecurity risks associated with known exploitable vulnerabilities. IT leaders should consider this information crucial for their risk management and vulnerability remediation strategies. This summary reflects a timely overview of the original blog post.