嗯,用户让我用中文总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,找出关键信息。 文章主要讲的是美国CISA机构将微软WSUS和Adobe Commerce及Magento Open Source的漏洞加入到已知被利用的漏洞目录中。具体有两个CVE编号:CVE-2025-54236和CVE-2025-59287,分别涉及输入验证和反序列化问题。 接下来,我需要提取这些关键点:CISA添加了哪些漏洞,漏洞的影响,以及应对措施。比如,Adobe的漏洞已经被广泛利用,只有38%的企业修补了;微软的漏洞CVSS评分很高,影响也很大。 然后,总结时要简洁明了,控制在100字以内。可能的结构是先点明CISA的行为,然后分别说明两个漏洞的情况,最后提到修复截止日期。 最后检查一下是否符合要求:中文、100字以内、没有特定开头。确保信息准确无误。 </think> 美国网络安全和基础设施安全局(CISA)将微软WSUS和Adobe Commerce及Magento Open Source的两个高危漏洞加入已知被利用漏洞目录。其中Adobe漏洞(CVE-2025-54236)CVSS评分9.1,已被广泛用于劫持用户账户;微软漏洞(CVE-2025-59287)CVSS评分9.8,可远程代码执行。CISA要求联邦机构于2025年11月14日前修复这些漏洞。 2025-10-24 19:5:31 Author: securityaffairs.com(查看原文) 阅读量:4 收藏
U.S. CISA adds Microsoft WSUS, and Adobe Commerce and Magento Open Source flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft WSUS, and Adobe Commerce and Magento Open Source flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft WSUS, and Adobe Commerce and Magento Open Source flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below the list of flaws added to the catalog:
- CVE-2025-54236 Adobe Commerce and Magento Improper Input Validation Vulnerability
- CVE-2025-59287 Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
The vulnerability CVE-2025-54236 is an improper input validation issue. This week the e-commerce security company Sansec warned that threat actors are exploiting the critical flaw CVE-2025-54236 (CVSS 9.1), to hijack customer accounts via the REST API. The experts observed over 250 attacks hit stores in 24 hours.
Last month, Adobe issued an emergency patch to fix the flaw, dubbed SessionReaper, after researcher Blaklis responsibly disclosed it. An attacker can exploit this vulnerability to take over customer accounts. Sansec blocked over 250 SessionReaper attack attempts on e-commerce sites, with payloads delivering PHP webshells or phpinfo probes from multiple IPs.
Experts warn that the situation is critical, as only 38% of stores are patched and exploit details are already publicly available.
The second vulnerability added to the catalog, tracked as CVE-2025-59287 (CVSS score of 9.8), is a deserialization of untrusted data in Windows Server Update Service that allows an unauthorized attacker to execute code over a network.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by November 14, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh