CISA Adds Array Networks and D-Link Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a command injection flaw in Array Networks ArrayOS AG VPN devices (CVE-2025-66644) and a buffer overflow in D-Link Go-RT-AC750 routers (CVE-2022-37055). The Array Networks vulnerability affects versions before 9.4.5.9 and has been exploited since August 2025, primarily targeting Japanese organizations, allowing attackers to deploy PHP webshells and create rogue user accounts. The D-Link vulnerability impacts end-of-life routers, enabling remote code execution and lateral movement, with no official patches available, prompting recommendations for device retirement and additional mitigations.
Federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines, while all organizations are strongly urged to prioritize patching and mitigation efforts. CISA emphasizes the persistent risk posed by vulnerabilities in VPN appliances and legacy routers, recommending immediate action such as patching, isolating affected hardware, and integrating KEV feeds into vulnerability management processes to reduce exposure to active cyber threats.
Timeline
Dec 8, 2025
CISA adds Array Networks and D-Link flaws to KEV Catalog
CISA added CVE-2025-66644 in Array Networks ArrayOS AG and CVE-2022-37055 in D-Link Go-RT-AC750 routers to its Known Exploited Vulnerabilities Catalog after evidence of active exploitation. The agency directed FCEB agencies to remediate them under BOD 22-01 and urged all organizations to prioritize mitigation.
Aug 1, 2025
Array Networks ArrayOS AG flaw exploited in attacks targeting Japan
CVE-2025-66644, an unauthenticated OS command injection flaw in Array Networks ArrayOS AG DesktopDirect, was observed being actively exploited beginning in August 2025, with reported targeting focused mainly on Japanese organizations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
CISA Flags Actively Exploited Samsung, SimpleHelp, and D-Link Vulnerabilities
CISA added four vulnerabilities to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation affecting **Samsung MagicINFO 9 Server**, **SimpleHelp**, and **D-Link DIR-823X** devices. The newly listed flaws are `CVE-2024-7399` in Samsung MagicINFO, `CVE-2024-57726` and `CVE-2024-57728` in SimpleHelp, and `CVE-2025-29635` in D-Link DIR-823X. The Samsung issue allows unauthenticated attackers to upload JSP files and execute code with system-level privileges, while the D-Link flaw is a command injection bug that Akamai said is being exploited by a **Mirai** botnet through crafted POST requests. The two SimpleHelp vulnerabilities are especially concerning because they can be chained from a low-privileged technician account into full server and downstream host compromise, a pattern linked to ransomware precursor activity. Under **Binding Operational Directive 22-01**, Federal Civilian Executive Branch agencies must remediate the KEV-listed flaws by **May 8, 2026**, and CISA urged broader patching and review as attackers increasingly target peripheral infrastructure such as remote support platforms, digital signage servers, and SOHO edge devices.
1 weeks ago
CISA Adds Multiple Actively Exploited Vulnerabilities to Known Exploited Vulnerabilities Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog to include several new security flaws that have been actively exploited in the wild. The newly added vulnerabilities span a wide range of products and platforms, including GNU Bash, Smartbedded Meteobridge, Juniper ScreenOS, Jenkins, Samsung mobile devices, and several legacy products from Mozilla, Microsoft, Linux, and Oracle. Among the most notable is the GNU Bash command injection flaw (CVE-2014-6278), a Shellshock-related vulnerability that allows remote attackers to execute arbitrary code on affected Linux and Unix systems. Juniper ScreenOS is affected by an improper authentication vulnerability (CVE-2015-7755), which can grant attackers administrative access via TELNET or SSH. Jenkins is impacted by a remote code execution bug (CVE-2017-1000353) that enables unauthenticated attackers to bypass deserialization safeguards through crafted Java objects. The Smartbedded Meteobridge device is vulnerable to a command injection issue (CVE-2025-4008), allowing remote, unauthenticated users to execute root-level commands through its web interface. Samsung mobile devices are at risk due to an out-of-bounds write flaw (CVE-2025-21043) in libimagecodec.quram.so, which can be exploited remotely for arbitrary code execution. CISA also added vulnerabilities such as CVE-2010-3765 (Mozilla products), CVE-2010-3962 (Microsoft Internet Explorer), CVE-2011-3402 and CVE-2013-3918 (Microsoft Windows), CVE-2021-22555 (Linux Kernel), CVE-2021-43226 (Microsoft Windows), and CVE-2025-61882 (Oracle E-Business Suite), all of which have evidence of active exploitation. Federal agencies have been directed to remediate these vulnerabilities by a specified deadline to comply with Binding Operational Directive (BOD) 22-01, which mandates timely mitigation of known exploited vulnerabilities. The directive is designed to reduce significant risk to the federal enterprise by ensuring that actively exploited vulnerabilities are addressed promptly. While BOD 22-01 is mandatory for Federal Civilian Executive Branch agencies, CISA strongly encourages all organizations to prioritize remediation of KEV Catalog vulnerabilities as part of their vulnerability management programs. The addition of these vulnerabilities underscores the persistent threat posed by both legacy and modern software flaws, and highlights the importance of continuous monitoring and rapid response to newly discovered exploits. CISA’s ongoing updates to the KEV Catalog serve as a critical resource for organizations seeking to defend against active cyber threats. The agency’s alert emphasizes that these vulnerabilities are frequent attack vectors for malicious actors and pose significant risks if left unaddressed. Organizations are advised to consult the KEV Catalog regularly and implement recommended mitigations to protect their networks. The inclusion of both recent and older vulnerabilities in the catalog reflects the reality that unpatched legacy systems remain a significant target for attackers. CISA’s proactive approach aims to drive widespread remediation efforts across both public and private sectors. The agency will continue to update the KEV Catalog as new evidence of exploitation emerges, reinforcing the need for vigilance and timely patching in cybersecurity operations.
1 months ago
CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding six new vulnerabilities that are currently being exploited in the wild. This update includes five vulnerabilities announced on October 14, 2025, and one additional vulnerability added on October 15, 2025. The vulnerabilities affect a range of widely used products, including Microsoft Windows, Rapid7 Velociraptor, SKYSEA Client View, IGEL OS, and Adobe Experience Manager. Among the most critical is CVE-2025-24990, an elevation of privilege flaw in the Agere Modem driver bundled with all Windows releases, which allows local attackers to gain SYSTEM-level access through untrusted pointer dereference. Microsoft addressed this issue by removing the vulnerable driver in the October 2025 Patch Tuesday update, though this may impact dependent hardware. Another significant vulnerability is CVE-2025-54253, a code execution flaw in Adobe Experience Manager Forms, which has been confirmed as actively exploited and poses a substantial risk to federal and enterprise environments. The Rapid7 Velociraptor vulnerability (CVE-2025-6264) involves incorrect default permissions, potentially allowing unauthorized access or privilege escalation. SKYSEA Client View is affected by an improper authentication vulnerability (CVE-2016-7836), while IGEL OS faces a risk from the use of expired cryptographic keys (CVE-2025-47827). Additionally, Microsoft Windows is impacted by an improper access control vulnerability (CVE-2025-59230). CISA’s KEV Catalog serves as a critical resource for tracking vulnerabilities that are confirmed to be exploited in real-world attacks, and federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines. CISA strongly encourages all organizations, not just federal agencies, to prioritize patching these vulnerabilities to reduce exposure to active cyber threats. The addition of these vulnerabilities underscores the ongoing risk posed by unpatched systems and the importance of timely remediation. CISA’s public alerts emphasize that these vulnerabilities are not theoretical and are being leveraged by malicious actors in current attack campaigns. The agency’s updates are based on evidence of active exploitation, highlighting the need for immediate action by security teams. Organizations are advised to consult the KEV Catalog regularly and integrate its findings into their vulnerability management processes. The removal of the Agere Modem driver by Microsoft demonstrates a decisive response to mitigate risk, though it may have operational impacts for some users. The inclusion of vulnerabilities across diverse platforms indicates that attackers are targeting a broad range of technologies. CISA’s ongoing updates to the KEV Catalog reflect its commitment to providing actionable intelligence to protect both federal and private sector networks. The agency’s guidance is clear: prompt remediation of known exploited vulnerabilities is essential to defend against active threats.
1 months ago