CISA adds five new vulnerabilities to KEV Catalog

CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog, introducing five new vulnerabilities due to evidence of active exploitation. This update holds relevance for IT decision-makers aiming to enhance cybersecurity measures.

New Vulnerabilities Added

The vulnerabilities recently added by CISA include issues affecting ASUS routers, Craft CMS, and ConnectWise's ScreenConnect. Specifically, vulnerabilities listed are:

• CVE-2021-32030: ASUS Routers Improper Authentication.
• CVE-2023-39780: ASUS RT-AX55 Routers Operating System (OS) Command Injection.
• CVE-2024-56145: Craft CMS Code Injection.
• CVE-2025-3935: ConnectWise ScreenConnect Improper Authentication.
• CVE-2025-35939: Craft CMS External Control of Assumed-Immutable Web Parameter.

Mandate for Federal Agencies

Binding Operational Directive (BOD) 22-01, which mandates federal agencies address identified vulnerabilities, emphasizes their criticality in protecting networks against cyber threats. Federal Civilian Executive Branch agencies are specifically required to remediate these vulnerabilities promptly.

While BOD 22-01 applies only to federal agencies, CISA advises all organizations to actively manage vulnerabilities in their networks by prioritizing the remediation of KEV Catalog vulnerabilities. CISA plans to expand the catalog by including new vulnerabilities as they are identified.

Feedback Mechanism

CISA has released a feedback survey for organizations to share their input regarding the KEV Catalog. This input may play a part in future updates and enhancements.

This update reflects the ongoing efforts by CISA to maintain an updated catalog of vulnerabilities relevant to cybersecurity in federal networks, supporting organizations in their risk management practices.