Key Findings

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2025-14174: Google Chromium Out-of-Bounds Memory Access Vulnerability

• CVE-2018-4063: Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability

Background

• CVE-2025-14174 is an out-of-bounds memory access flaw in the ANGLE graphics library of Google Chrome on Mac, which can be exploited by a remote attacker to perform out-of-bounds memory access via a crafted HTML page.

• CVE-2018-4063 is a remote code execution vulnerability in the Sierra Wireless AirLink ES450 FW 4.9.3 that affects the upload.cgi component, allowing an authenticated attacker to upload and execute malicious code on the device's web server.

CISA Directive

• According to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the KEV catalog.

• CISA has ordered federal agencies to fix the vulnerabilities by January 2nd, 2026.

Recommendations

• Private organizations are also recommended to review the KEV catalog and address the vulnerabilities in their infrastructure.

• Experts advise that users of Sierra Wireless AirLink ALEOS routers should update their devices to a supported version or discontinue the use of the product by the due date, as it has reached end-of-support status.

Sources

• https://securityaffairs.com/185639/security/u-s-cisa-adds-google-chromium-and-sierra-wireless-airlink-aleos-flaws-to-its-known-exploited-vulnerabilities-catalog.html

• https://thehackernews.com/2025/12/cisa-adds-actively-exploited-sierra.html