CISA adds six vulnerabilities to Known Exploited Vulnerabilities Catalog

CISA has included six new vulnerabilities in its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of ongoing exploitation, impacting federal agencies.

Details of New Vulnerabilities

The latest additions to CISA's catalog include various vulnerabilities across different platforms, specifically affecting technologies from Ivanti, MDaemon, Srimax, Synacor, and ZKTeco. These newly identified vulnerabilities include:

• CVE-2025-4427 - Ivanti Endpoint Manager Mobile Authentication Bypass
• CVE-2025-4428 - Ivanti Endpoint Manager Mobile Code Injection
• CVE-2024-11182 - MDaemon Email Server Cross-Site Scripting (XSS)
• CVE-2025-27920 - Srimax Output Messenger Directory Traversal
• CVE-2024-27443 - Synacor Zimbra Collaboration Suite XSS
• CVE-2023-38950 - ZKTeco BioTime Path Traversal

These vulnerabilities serve as common attack vectors and are a potential risk for the federal sector.

Operational Directives

According to Binding Operational Directive (BOD) 22-01, CISA establishes the KEV Catalog to identify risks associated with CVEs for federal entities. FCEB agencies must remedy these vulnerabilities to secure their networks against active threats. Additional information can be found in the BOD 22-01 Fact Sheet.

CISA recommends that all organizations, regardless of federal affiliation, prioritize fixing catalog vulnerabilities promptly to minimize cyberattack risks. The agency will keep updating the catalog with new vulnerabilities as outlined in their criteria.