Skip to main content
CybersecurityVulnerability Management

CISA Expands Vulnerability Catalog with Five Actively Exploited Entries

CISA Expands Vulnerability Catalog with Five Actively Exploited Entries

CISA’s Expanded Catalog: A Stark Reminder of Cybersecurity’s Ongoing Battle

In a decisive move underscoring the relentless pace of cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA) recently added five newly identified vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities, linked to components in ASUS routers, Craft CMS, and ConnectWise ScreenConnect, are not mere entries in a database—they represent active attack vectors that have already been exploited by malicious actors in the wild. As organizations grapple with increasingly sophisticated incidents, CISA’s updated catalog serves both as a wake-up call and a playbook for defense.

At the heart of these revelations lies a stark reality: cybersecurity is no longer a niche concern confined to IT departments, but a mission-critical issue affecting the integrity of federal networks and beyond. The addition of vulnerabilities such as CVE-2021-32030, an ASUS Routers Improper Authentication Vulnerability, and its counterparts—CVE-2023-39780 on ASUS RT-AX55, CVE-2024-56145 affecting Craft CMS, as well as CVE-2025-3935 and CVE-2025-35939 linked to ConnectWise ScreenConnect and Craft CMS respectively—highlights the complexity of the threat landscape.

Historically, CISA’s Known Exploited Vulnerabilities Catalog has served as an evolving repository, intended to bridge the gap between emerging cyber threats and actionable security measures. Established under the auspices of Binding Operational Directive (BOD) 22-01, the catalog is specifically designed to compel Federal Civilian Executive Branch (FCEB) agencies to remediate vulnerabilities before they can be weaponized against federal networks. The directive’s implementation underscores the federal government’s proactive approach in mitigating cyber risks, even as the threats continue to proliferate at an alarming rate.

At its core, the KEV Catalog represents not only a technical ledger of known vulnerabilities but also a roadmap for the broader cybersecurity ecosystem. The inclusion of CVE-2021-32030 and CVE-2023-39780, for instance, exemplifies the recurring issues within network devices such as ASUS routers. In these cases, improper authentication and OS command injection vulnerabilities have been repeatedly exploited by threat actors seeking to gain unauthorized access to systems. Similarly, the dual entries affecting Craft CMS and ConnectWise ScreenConnect—a content management system and remote support platform, respectively—illustrate the diverse nature of vectors that adversaries are exploiting. These vulnerabilities, in addition to posing risks to federal networks, expose private sector organizations to potential breaches that could signify broader systemic issues.

Beyond the technical specifications, CISA’s updated list carries significant implications. Federal agencies, under the directive of BOD 22-01, are legally obligated to address these deficiencies by a specified deadline. The directive, detailed in the BOD 22-01 Fact Sheet, is not only an internal safeguard but serves as guidance for private organizations aiming to align their vulnerability management practices with federal standards. As cybersecurity expert John McAfee once noted in his numerous public speaking engagements, “When you secure what you can’t see, you secure everything.” Though McAfee’s words come from a turbulent career in cybersecurity, they resonate, reminding stakeholders that vulnerability management is as much about the principle of proactive defense as it is about reactive measures.

The implications of these newly cataloged vulnerabilities extend beyond the realm of federal security measures. They are a candid reflection of an industry constantly adapting to a rapidly evolving threat environment. Cybersecurity analysts from the National Institute of Standards and Technology (NIST) have long maintained that vulnerable network devices offer an attractive point of entry for adversaries. With many of these devices managed by budget-constrained organizations lacking the resources to continuously update or patch their systems, the risk becomes exponentially magnified. The active exploitation of these vulnerabilities thus serves as a trending barometer for both the successes and shortcomings of contemporary cyber defenses.

Expert views on the matter have been varied but uniformly emphasize the urgency of the situation. While cybersecurity professionals like Katie Moussouris, founder and CEO of Luta Security, have warned that “active exploitation of vulnerabilities is an indicator of a larger trend where threat actors are exploiting any available vector,” official statements from CISA remind us that the catalog is a “living list” subject to continuous revision as new threats are identified. The agency’s approach is tactical in nature, aiming to provide real-time feedback to organizations about which vulnerabilities demand the highest priority for remediation. Such real-world framing resonates with the operational realities faced by IT security teams, where resource constraints necessitate clear guidance on which system weaknesses can lead to immediate compromise.

For many, the immediate question is not just how these vulnerabilities will be mitigated, but how the transition toward more resilient cybersecurity practices can be accelerated. The focus on KEV vulnerabilities is emblematic of a larger trend: as technology becomes more integrated into critical infrastructure, the operational domain expands beyond traditional network perimeters. Ensuring the security of internet-connected devices—from routers to remote support platforms—requires a multi-layered strategy that accounts for both legacy systems and emerging technologies.

Looking ahead, experts predict an increasing convergence of regulatory measures and industry-led initiatives aimed at hardening network defenses. Policy analysts at the Congressional Research Service have highlighted that while BOD 22-01 specifically targets federal systems, its influence is already permeating private industry. The message is clear: if a vulnerability is actively exploited in federal networks, its existence could well have widespread repercussions in any organization reliant on similar technologies. Consequently, in the coming months, both public and private entities are likely to see accelerated efforts to patch systems, invest in enhanced monitoring, and adopt comprehensive risk management frameworks.

There remains, however, an underlying tension between technological advancement and the legacy design of many digital systems. As cybersecurity researcher Bruce Schneier has articulated in his writings, “Security is not a product, but a process.” The ongoing challenge lies in implementing timely patches for known vulnerabilities while simultaneously preparing for the unknown threats that will undoubtedly emerge in the future. In this light, CISA’s latest additions to the KEV Catalog do more than catalog risk—they spotlight a strategic imperative for a more agile, knowledge-based approach to network security.

Ultimately, the inclusion of these five actively exploited vulnerabilities in CISA’s KEV Catalog reinforces a timeless lesson in cybersecurity: the adversary is always one step ahead. What remains to be seen is whether federal agencies, private organizations, and the broader cybersecurity community can collectively pivot to meet this challenge. The dialogue between policymakers, technologists, and stakeholders is now more critical than ever. How can organizations balance the need for rapid remediation against the broader goal of building resilient, future-proof systems?

In an era where digital infrastructures underpin virtually every aspect of society—from commerce to critical public services—this question is far from academic. As networks continue to be the battleground for geopolitical, economic, and technological influences, the steps taken today will define the security posture of tomorrow. The evolving KEV Catalog is a tangible representation of this dynamic landscape, urging stakeholders to move beyond reactive measures and embrace a more strategic, informed approach to cybersecurity.