Source URL: https://www.cisa.gov/news-events/alerts/2025/01/29/cisa-adds-one-known-exploited-vulnerability-catalog
Source: Alerts
Title: CISA Adds One Known Exploited Vulnerability to Catalog
Feedly Summary:
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet.
CVE-2025-24085 Apple Multiple Products Use-After-Free Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
AI Summary and Description: Yes
Summary: CISA has updated its Known Exploited Vulnerabilities Catalog to include a new CVE, indicating ongoing active exploitation of a vulnerability in Apple products. This underscores the importance of timely vulnerability management in reducing risks to federal networks and serves as a call to action for all organizations to prioritize remediating known vulnerabilities.
Detailed Description:
The text discusses a recent update from the Cybersecurity and Infrastructure Security Agency (CISA) regarding the addition of a vulnerability to its Known Exploited Vulnerabilities Catalog. The newly added CVE-2025-24085 pertains to a “Use-After-Free” vulnerability affecting multiple Apple products, which has been confirmed as actively exploited by Fortinet.
Key points include:
– **Known Exploited Vulnerabilities Catalog**: This catalog serves as a living list of CVEs that pose significant risks, particularly to federal agencies.
– **Binding Operational Directive (BOD) 22-01**:
– Established the catalog.
– Requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by a specific deadline to protect their networks.
– **Recommendation for Organizations**: CISA encourages all organizations—not just FCEB agencies—to prioritize the remediation of these vulnerabilities as part of their broader cybersecurity strategies. This highlights the critical need for robust vulnerability management practices to defend against active cyber threats.
– **Vulnerability Management Practices**: Organizations should integrate the timely addressing of known vulnerabilities into their security protocols to safeguard against potential exploits.
This update serves as an important reminder for security and compliance professionals to stay vigilant about vulnerabilities and ensure they have mechanisms in place to address and remediate them efficiently. By doing so, organizations can strengthen their security posture against prevalent cyberattacks.