Experimental News Clipping Site

Alerts: CISA Adds Two Known Exploited Vulnerabilities to Catalog

by

Kurt Seifried
in

Source URL: https://www.cisa.gov/news-events/alerts/2025/02/12/cisa-adds-two-known-exploited-vulnerabilities-catalog
Source: Alerts
Title: CISA Adds Two Known Exploited Vulnerabilities to Catalog

Feedly Summary: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2025-24200 Apple iOS and iPadOS Incorrect Authorization Vulnerability
CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

AI Summary and Description: Yes

Summary: The text discusses two newly added vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog, signaling active exploitation that poses risks primarily to federal networks. It emphasizes the need for remediation in alignment with Binding Operational Directive 22-01, which mandates such actions for Federal Civilian Executive Branch agencies, while encouraging broader organizational compliance.

Detailed Description:

– **New Vulnerabilities Added**:
– **CVE-2025-24200**: Represents an Incorrect Authorization Vulnerability in Apple iOS and iPadOS.
– **CVE-2024-41710**: Concerns an Argument Injection Vulnerability found in Mitel SIP Phones.

– **Risk Assessment**:
– These vulnerabilities serve as common attack vectors exploited by malicious cyber actors, highlighting a significant threat landscape.
– They pose substantial operational risks to federal enterprises, necessitating prompt and effective mitigation efforts.

– **Binding Operational Directive (BOD) 22-01**:
– This directive establishes the Known Exploited Vulnerabilities Catalog, advocating for the continuous updating and management of known vulnerabilities that threaten the federal sector.
– BOD 22-01 enforces a requirement for Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by defined deadlines to safeguard their networks from ongoing cyber threats.

– **Recommendations for Organizations**:
– While BOD 22-01 focuses on federal agencies, CISA strongly recommends that all organizations adopt robust vulnerability management practices to mitigate exposure to potential cyberattacks.
– Promptly addressing vulnerabilities listed in the Catalog can significantly enhance an organization’s cybersecurity posture.

– **Future Updates**:
– CISA plans to expand the catalog by continuously adding vulnerabilities that meet defined criteria, which can further inform organizations’ security strategies.

This content is crucial for security and compliance professionals, as it highlights the importance of maintaining an updated understanding of vulnerabilities and compliance mandates, particularly within federal and broader organizational contexts. Regular threat assessments and prompt remediation are vital for enhanced resilience against cyber threats.