CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after finding evidence of active exploitation, putting defenders on notice that the bugs are already being used in real attacks. The newly listed issues are CVE-2025-31277, a buffer overflow affecting multiple Apple products; CVE-2025-32432, a code injection flaw in Craft CMS; CVE-2025-43510, an improper locking issue affecting multiple Apple products; CVE-2025-43520, a classic buffer overflow in multiple Apple products; and CVE-2025-54068, a code injection flaw in Laravel Livewire.
CISA’s KEV Catalog is a priority remediation list used across government and widely followed by private-sector security teams. Inclusion means the agency has determined the vulnerabilities are not just severe on paper but are being exploited in the wild. Under Binding Operational Directive 22-01, federal civilian agencies must remediate KEV-listed flaws by CISA’s deadlines.
The mix of affected products broadens the risk. Three Apple entries suggest active exploitation against consumer and enterprise endpoints, though CISA’s alert does not include technical details on the affected components or attack chains. The two web application flaws may be especially urgent for internet-facing systems: code injection bugs in Craft CMS and Laravel Livewire can lead to server compromise, data theft, web shell deployment, or follow-on access into connected environments if left unpatched.
For defenders, the immediate priority is straightforward: identify exposed Apple devices and any deployments running Craft CMS or Laravel Livewire, apply vendor fixes, and review logs for signs of exploitation. Organizations that cannot patch immediately should restrict exposure where possible and monitor for suspicious administrative activity, unexpected file changes, and outbound connections from affected systems. Remote staff accessing sensitive systems should also use secure channels such as a VPN while incident response and patching are underway.
One caveat: the CISA alert confirms active exploitation and KEV inclusion, but fuller technical specifics, affected versions, and patch guidance should be verified through vendor advisories and the KEV entry itself. Even so, KEV status alone is enough to move these flaws to the top of patch queues.
