CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2025-23209

Craft CMS Code Injection Vulnerability

Vendor: Craft CMS

Product: Craft CMS

Added: 2025-02-20

Due Date: 2025-03-13

Description:

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

CVE-2025-0108

Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

Vendor: Palo Alto Networks

Product: PAN-OS

Added: 2025-02-18

Due Date: 2025-03-11

Description:

Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-306

CVE-2024-53704

SonicWall SonicOS SSLVPN Improper Authentication Vulnerability

Vendor: SonicWall

Product: SonicOS

Added: 2025-02-18

Due Date: 2025-03-11

Description:

SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-287

CVE-2024-57727

Ransomware

SimpleHelp Path Traversal Vulnerability

Vendor: SimpleHelp

Product: SimpleHelp

Added: 2025-02-13

Due Date: 2025-03-06

Description:

SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may include server configuration files and hashed user passwords.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-22

CVE-2025-24200

Apple iOS and iPadOS Incorrect Authorization Vulnerability

Vendor: Apple

Product: iOS and iPadOS

Added: 2025-02-12

Due Date: 2025-03-05

Description:

Apple iOS and iPadOS contains an incorrect authorization vulnerability that allows a physical attacker to disable USB Restricted Mode on a locked device.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-863

CVE-2024-41710

Mitel SIP Phones Argument Injection Vulnerability

Vendor: Mitel

Product: SIP Phones

Added: 2025-02-12

Due Date: 2025-03-05

Description:

Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, contain an argument injection vulnerability due to insufficient parameter sanitization during the boot process. Successful exploitation may allow an attacker to execute arbitrary commands within the context of the system.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-88

CVE-2024-40891

Zyxel DSL CPE OS Command Injection Vulnerability

Vendor: Zyxel

Product: DSL CPE Devices

Added: 2025-02-11

Due Date: 2025-03-04

Description:

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet.

Required Action:

The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

CWEs:

CWE-78

CVE-2024-40890

Zyxel DSL CPE OS Command Injection Vulnerability

Vendor: Zyxel

Product: DSL CPE Devices

Added: 2025-02-11

Due Date: 2025-03-04

Description:

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.

Required Action:

The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

CWEs:

CWE-78

CVE-2025-21418

Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2025-02-11

Due Date: 2025-03-04

Description:

Microsoft Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-122

CVE-2025-21391

Microsoft Windows Storage Link Following Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2025-02-11

Due Date: 2025-03-04

Description:

Microsoft Windows Storage contains a link following vulnerability that could allow for privilege escalation. This vulnerability could allow an attacker to delete data including data that results in the service being unavailable.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-59

CVE-2025-0994

Trimble Cityworks Deserialization Vulnerability

Vendor: Trimble

Product: Cityworks

Added: 2025-02-07

Due Date: 2025-02-28

Description:

Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-502

CVE-2020-15069

Sophos XG Firewall Buffer Overflow Vulnerability

Vendor: Sophos

Product: XG Firewall

Added: 2025-02-06

Due Date: 2025-02-27

Description:

Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-120

CVE-2020-29574

CyberoamOS (CROS) SQL Injection Vulnerability

Vendor: Sophos

Product: CyberoamOS

Added: 2025-02-06

Due Date: 2025-02-27

Description:

CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely.

Required Action:

The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.

CWEs:

CWE-89

CVE-2024-21413

Microsoft Outlook Improper Input Validation Vulnerability

Vendor: Microsoft

Product: Office Outlook

Added: 2025-02-06

Due Date: 2025-02-27

Description:

Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-20

CVE-2022-23748

Dante Discovery Process Control Vulnerability

Vendor: Audinate

Product: Dante Discovery

Added: 2025-02-06

Due Date: 2025-02-27

Description:

Dante Discovery contains a process control vulnerability in mDNSResponder.exe that all allows for a DLL sideloading attack. A local attacker can leverage this vulnerability in the Dante Application Library to execute arbitrary code.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-114