CISA adds two vulnerabilities to known exploited vulnerabilities catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has incorporated two new vulnerabilities into its Known Exploited Vulnerabilities (KEV) Catalog, citing proof of active exploitation. The affected products include Adobe Commerce and Magento, and Microsoft Windows Server Update Service (WSUS). These vulnerabilities involve improper input validation and deserialization of untrusted data, respectively, with consequences that impact enterprise network security.
The first vulnerability, identified as CVE-2025-54236, affects Adobe Commerce and Magento through improper input validation. The second, CVE-2025-59287, concerns Microsoft Windows Server Update Service and is related to deserialization of untrusted data. Both vulnerabilities have been added to the KEV Catalog due to evidence of exploitation, with no differentiation noted between them beyond their distinct technical attributes and affected components.
Exploitation of these vulnerabilities poses associated risks to systems by allowing unauthorized manipulation or exploitation, potentially compromising enterprise network integrity. The advisory states that these vulnerabilities serve as frequent vectors for malicious cyber activity and present risks to federal enterprise environments.
Binding Operational Directive (BOD) 22-01, aimed at reducing risk from KEV, mandates that Federal Civilian Executive Branch agencies remediate vulnerabilities listed in the KEV Catalog by specified deadlines to protect their networks from active threats. The directive established the KEV Catalog to list Common Vulnerabilities and Exposures (CVE) identifiers significant to federal enterprise security.
Although compliance with BOD 22-01 is required only for federal agencies, CISA recommends that all organizations prioritize the timely remediation of vulnerabilities listed in the KEV Catalog. CISA will continue to update the catalog with vulnerabilities meeting the established criteria for active exploitation.