U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple and Gladinet CentreStack and Triofox flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2025-20393 (CVSS score of 10.0) Cisco Multiple Products Improper Input Validation Vulnerability
• CVE-2025-40602 (CVSS score of 6.6) SonicWall SMA1000 Missing Authorization Vulnerability
• CVE-2025-59374 (CVSS score of 9.3) ASUS Live Update Embedded Malicious Code Vulnerability

Cisco reported a December 10 campaign targeting certain Secure Email Gateway appliances with exposed ports, enabling attackers to run root-level commands and plant persistence mechanisms. Threat actors exploited a Remote Command Execution Vulnerability, tracked as CVE-2025-20393, in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

“On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.” reads the advisory. “This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances.”

The second vulnerability added to the catalog, tracked as CVE-2025-40602, is a local privilege escalation issue, which is due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC). This week, SonicWall urged customers to address this vulnerability that was exploited as a zero-day in attacks in the wild.

“A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).” reads the advisory published by the company. “Please note that SonicWall Firewall products are not affected by this vulnerability.”

The vendor warned customers that the vulnerability was chained with CVE-2025-23006 in zero-day attacks to escalate privileges. Sonicwall has not disclosed details about the attacks that exploited the flaw as a zero-day, nor the attackers’ motivations.

“This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges. CVE-2025-23006 was remediated in build version 12.4.3-02854 (platform-hotfix) and higher versions (released on Jan 22, 2025).” continues the advisory. “SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability.”

CISA also added a critical ASUS Live Update flaw (CVE-2025-59374) to its KEV catalog after confirming active exploitation. The issue stems from a supply chain compromise in which certain Live Update versions were distributed with embedded malicious code, enabling unintended actions on specifically targeted devices. The vulnerability traces back to the ShadowHammer campaign uncovered in 2019, when threat actors trojanized ASUS updates to target a small set of users identified by MAC addresses. ASUS fixed the issue in 2019, but Live Update reached end of support in December 2025.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the CISCO and SonicWall vulnerabilities by December 24, 2025, and Asus flaw by January 7, 2025

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)