U.S. CISA adds Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2025-31277 (CVSS score of 8.8) Apple Multiple Products Buffer Overflow Vulnerability
• CVE-2025-32432 (CVSS score of 10.0) Craft CMS Code Injection Vulnerability
• CVE-2025-43510 (CVSS score of 7.8) Apple Multiple Products Improper Locking Vulnerability
• CVE-2025-43520 (CVSS score of 8.8) Apple Multiple Products Classic Buffer Overflow Vulnerability
• CVE-2025-54068 (CVSS score of 9.8) Laravel Livewire Code Injection Vulnerability

CISA added the three Apple flaws (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) in the KEV catalog following reports from recent Google Threat Intelligence Group, iVerify, and Lookout about an iOS exploit kit called DarkSword. The kit targets these vulnerabilities, along with three other bugs, to deliver malware.

CISA also added a code injection issue, tracked as CVE-2025-32432, to its KeV catalog. In April 2025, Orange Cyberdefense’s CSIRT reported that threat actors exploited two vulnerabilities in Craft CMS to breach servers and steal data. Orange Cyberdefense’s CSIRT warned that threat actors chained two Craft CMS vulnerabilities in attacks in the wild. Orange experts discovered the flaws while investigating a server compromise. The two vulnerabilities, tracked as CVE-2025-32432 and CVE-2024-58136, are respectively a remote code execution (RCE) in Craft CMS and an input validation flaw in the Yii framework used by Craft CMS. According to a report published by SensePost, Orange Cyberdefense’s ethical hacking team, threat actors exploited the two vulnerabilities to breach servers and upload a PHP file manager. The attack began by exploiting the CVE-2025-32432 flaw: a crafted request included a “return URL” that was saved to a PHP session file.

Both vulnerabilities have been fixed; the flaw CVE-2025-32432 has been addressed with the release of versions 3.9.15, 4.14.15, and 5.6.17. The development team behind Yii addressed the issue with the release of Yii 2.0.52 in April. 9th, 2025.

The last vulnerability added to the CISA’s KeV catalog is CVE-2025-54068, which was linked to attacks by Iran-nexus APT MuddyWater, known for targeting diplomatic and critical sectors like energy and finance. The first MuddyWater campaign was observed in late 2017, when the APT group targeted entities in the Middle East.

Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States. Over the years, the group has evolved by adding new attack techniques to its arsenal and has also targeted European and North American countries.

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January 2022, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by April 3, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)