Key Findings

• CISA added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog, including three Apple flaws, one Craft CMS code injection, and one Laravel Livewire vulnerability

• Three Apple vulnerabilities are linked to active exploitation by the DarkSword iOS exploit kit

• Craft CMS flaws have been actively exploited in the wild to breach servers and steal data

• Laravel Livewire vulnerability is associated with Iran-nexus APT group MuddyWater

• Federal agencies must remediate all five vulnerabilities by April 3, 2026

Background

CISA's Known Exploited Vulnerabilities catalog tracks security flaws that are actively being exploited by threat actors in the wild. The agency maintains this list to help federal agencies and private organizations prioritize patching efforts. Under Binding Operational Directive 22-01, federal agencies are legally required to remediate vulnerabilities on the catalog by the specified due date or face compliance issues.

Apple Multiple Products Vulnerabilities

CISA added three Apple vulnerabilities to the catalog following reports from Google Threat Intelligence Group, iVerify, and Lookout about an iOS exploit kit called DarkSword. The three flaws are:

• CVE-2025-31277 (CVSS 8.8): A buffer overflow in Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS that could allow memory corruption when processing maliciously crafted web content

• CVE-2025-43510 (CVSS 7.8): An improper locking vulnerability across multiple Apple products that could allow a malicious application to cause unexpected memory changes between processes

• CVE-2025-43520 (CVSS 8.8): A classic buffer overflow affecting watchOS, iOS, iPadOS, macOS, visionOS, and tvOS that could allow unexpected system termination or kernel memory writes

Craft CMS Code Injection Flaw

CVE-2025-32432 carries a perfect CVSS score of 10.0 and represents a critical remote code execution vulnerability in Craft CMS. In April 2025, Orange Cyberdefense discovered threat actors exploiting this flaw in real-world attacks. The attackers chained it with CVE-2024-58136, an input validation issue in the Yii framework that Craft CMS uses. The attack chain worked by crafting a request with a malicious return URL that was saved to a PHP session file, ultimately allowing attackers to upload a PHP file manager to compromised servers and steal data.

Craft CMS released patches in versions 3.9.15, 4.14.15, and 5.6.17. The underlying Yii framework issue was addressed with version 2.0.52.

Laravel Livewire Vulnerability

CVE-2025-54068 (CVSS 9.8) is a code injection vulnerability in Laravel Livewire that allows unauthenticated attackers to achieve remote command execution in specific scenarios. This flaw has been linked to campaigns by MuddyWater, an Iran-nexus APT group officially attributed to Iran's Ministry of Intelligence and Security by US Cyber Command in January 2022.

MuddyWater has been active since early 2017 and has evolved significantly over the years. The group primarily targets telecommunications, government IT services, and oil sector organizations across the Middle East, Europe, and North America.

Remediation Requirements

Federal agencies must apply patches or implement mitigations by April 3, 2026. Organizations using cloud services must follow applicable BOD 22-01 guidance. Private organizations are strongly encouraged to review the catalog and address these vulnerabilities in their infrastructure to prevent exploitation.

Sources

• https://securityaffairs.com/189776/security/u-s-cisa-adds-apple-laravel-livewire-and-craft-cms-flaws-to-its-known-exploited-vulnerabilities-catalog.html

• https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv