CISA News

Updated October 22, 2025 

CISA is continually collaborating with partners across government and the private sector. Through this collaboration, CISA has determined that CVE-2025-6264 has not been exploited and there is insufficient evidence to keep this CVE on the KEV and that the best course of action is to remove it. CISA is committed to continued collaboration with partners. 

End of Update 

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
• CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
• CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
• CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
• CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released one Industrial Control Systems (ICS) advisory on October 14, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-287-01 Rockwell Automation 1715 EtherNet/IP Comms Module

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2021-43798 Grafana Path Traversal Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released four Industrial Control Systems (ICS) Advisories on October 9, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-25-282-01 Hitachi Energy Asset Suite
• ICSA-25-282-02 Rockwell Automation Lifecycle Services with Cisco
• ICSA-25-282-03 Rockwell Automation Stratix
• ICSA-25-128-03 Mitsubishi Electric Multiple FA Products (Update A) 

CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations. 

CISA released two Industrial Control Systems (ICS) advisories on October 7, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-280-01 Delta Electronics DIAScreen
• ICSA-25-226-31 Rockwell Automation 1756-EN4TR, 1756-EN4TRXT (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
• CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
• CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
• CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
• CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
• CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
• CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability 

These types of vulnerabilities are frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2014-6278 GNU Bash OS Command Injection Vulnerability
• CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability
• CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability
• CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability
• CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability

These types of vulnerabilities are frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-275-01 Raise3D Pro2 Series 3D Printers
• ICSA-25-275-02 Hitachi Energy MSM Product

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA released ten Industrial Control Systems (ICS) advisories on September 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-273-01 MegaSys Enterprises Telenium Online Web Application
• ICSA-25-273-02 Festo SBRD-Q/SBOC-Q/SBOI-Q
• ICSA-25-273-03 Festo CPX-CEC-C1 and CPX-CMXX
• ICSA-25-273-04 Festo Controller CECC-S,-LK,-D Family Firmware
• ICSA-25-273-05 OpenPLC_V3
• ICSA-25-273-06 National Instruments Circuit Design Suite
• ICSA-25-273-07 LG Innotek Camera Multiple Models
• ICSA-25-063-02 Keysight Ixia Vision Product Family (Update A)
• ICSA-22-298-02 HEIDENHAIN Controller TNC (Update A)
• ICSA-25-226-26 Rockwell Automation FLEX 5000 I/O (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

The Cybersecurity and Infrastructure Security Agency (CISA) announced that it has transitioned to a new model to better equip state, local, tribal, and territorial (SLTT) governments to strengthen shared responsibility nationwide. CISA is supporting our SLTT partners with access to grant funding, no-cost tools, and cybersecurity expertise to be resilient and lead at the local level. 

CISA’s cooperative agreement with the Center for Internet Security (CIS) will reach its planned end on September 30, 2025. This transition reflects CISA’s mission to strengthen accountability, maximize impact, and empower SLTT partners to defend today and secure tomorrow.

Support for SLTTs includes:

• Access to Grant Funding from the Department of Homeland Security (DHS), available through CISA in coordination with the Federal Emergency Management Agency (FEMA). This funding is provided via the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP).
• No-cost services and tools such as Cyber Hygiene scanning and vulnerability management
• Cybersecurity Performance Goals and the Cyber Security Evaluation Tool to prioritize and measure progress
• Regional Cybersecurity Advisors and Cybersecurity Coordinators delivering hands-on, local and virtual expertise
• Professional services including vulnerability assessments and incident response coordination
• Bi-monthly SLTT Security Operations Center calls providing timely cyber defense updates

This initiative reinforces CISA’s role as the nation’s leading cyber defense agency, protecting critical infrastructure, enabling secure communications, and empowering partners on the front lines of America’s cybersecurity.

For more information about CISA’s Cybersecurity Services for SLTT partners, visit:  CISA Cybersecurity Resources for State, Local, Tribal, and Territorial

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2021-21311 Adminer Server-Side Request Forgery Vulnerability
• CVE-2025-20352 Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability
• CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
• CVE-2025-59689 Libraesva Email Security Gateway Command Injection Vulnerability
• CVE-2025-32463 Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability

These types of vulnerabilities are frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture.

Building on the recent Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, this guidance explains how organizations can leverage data sources, such as asset inventories and manufacturer-provided resources like software bill of materials to establish and maintain an accurate, up-to-date view of their OT systems.

A definitive OT record enables organizations to conduct more comprehensive risk assessments, prioritize critical and exposed systems, and implement appropriate security controls. The guidance also addresses managing third-party risks, securing OT information, and designing effective architectural controls.

Key recommendations include:

• Collaborating Across Teams: Foster coordination between OT and IT teams;
• Aligning with Standards: Follow international standards such as IEC 62443 and ISO/IEC 27001.

Organizations are encouraged to use this guidance to strengthen their OT security posture and reduce risks. For additional details, review the full guidance: Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture

Today, CISA issued Emergency Directive ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices to address vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. CISA has added vulnerabilities CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog. 

The Emergency Directive requires federal agencies to identify, analyze, and mitigate potential compromises immediately. Agencies must:

• Identify all instances of Cisco ASA and Cisco Firepower devices in operation (all versions).
• Collect and transmit memory files to CISA for forensic analysis by 11:59 p.m. EST Sept. 26. 

For detailed guidance, including additional actions tailored to each agency’s status, refer to the full Emergency Directive ED 25-03.

The following associated resources are available to assist agencies. 

• Supplemental Direction ED 25-03: Core Dump and Hunt Instructions
• Eviction Strategies Tool with a Cisco ASA Compromise template to assemble a comprehensive eviction plan with distinct countermeasures for containment and eviction which can be tailored to individual network owners’ specific needs.
• Known Exploited Vulnerabilities Catalog
• Cisco Security Advisories:
  • Cisco Event Response: Continued Attacks Against Cisco Firewalls
  • CVE-2025-20333: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability
  • CVE-2025-20362: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability
• United Kingdom National Cyber Security Centre (NCSC):
  • NCSC warns of persistent malware campaign targeting Cisco devices
  • Malware Analysis Report: RayInitiator & LINE VIPER

Although ED 25-03 and the associated supplemental guidance are directed to federal agencies, CISA urges all public and private sector organizations to review the Emergency Directive and associated resources and take steps to mitigate these vulnerabilities.

CISA released one Industrial Control Systems (ICS) advisory on September 25, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-268-01 Dingtian DT-R002

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA is releasing this Alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages.[i]

After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials. The cyber actor then targeted GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.[ii]

The malware then:

• Exfiltrated the harvested credentials to an endpoint controlled by the actor.
• Uploaded the credentials to a public repository named Shai-Hulud via the GitHub/user/repos API.
• Leveraged an automated process to rapidly spread by authenticating to the npm registry as the compromised developer, injecting code into other packages, and publishing compromised versions to the registry.[iii]

CISA urges organizations to implement the following recommendations to detect and remediate this compromise:

• Conduct a dependency review of all software leveraging the npm package ecosystem.
  • Check for package-lock.json or yarn.lock files to identify affected packages, including those nested in dependency trees.
• Search for cached versions of affected dependencies in artifact repositories and dependency management tools.
• Pin npm package dependency versions to known safe releases produced prior to Sept. 16, 2025.
• Immediately rotate all developer credentials.
• Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms like GitHub and npm.
• Monitor for anomalous network behavior.
  • Block outbound connections to webhook.site domains.
  • Monitor firewall logs for connections to suspicious domains.
• Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and auditing repository webhooks and secrets.
• Enable branch protection rules, GitHub Secret Scanning alerts, and Dependabot security updates.

See the following resources for additional guidance on this compromise:

• GitHub: Our plan for a more secure npm supply chain
• StepSecurity: Shai-Hulud: Self Replicating Work Compromises 500+ NPM Packages
• Palo Alto Networks Unit 42: "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 18)
• Socket: Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
• ReversingLabs: Shai-hulud supply chain attack spreads token-stealing malware on npm

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

[i] Ashish Kurmi, “Shai-Hulud: Self Replicating Work Compromises 500+ NPM Packages,” StepSecurity, (September 15, 2025), https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised; 
Kush Pandya, Peter van der Zee, and Olivia Brown, “Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages,” Socket, (September 16, 2025), https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages.

[ii] Palo Alto Networks Unit 42, “‘Shai-Hulud’ Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19),” Unit 42, Palo Alto Networks, (September 17, 2025), https://unit42.paloaltonetworks.com/npm-supply-chain-attack/.

[iii] Palo Alto Networks Unit 42, “Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19).”

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Today, CISA released a cybersecurity advisory detailing lessons learned from an incident response engagement following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response tool. 

This advisory, CISA Shares Lessons Learned from an Incident Response Engagement, highlights takeaways that illuminate the urgent need for timely patching, comprehensive incident response planning, and proactive threat monitoring to mitigate risks from similar vulnerabilities.

The advisory also outlines the tactics, techniques, and procedures (TTPs) employed by cyber threat actors, including exploitation of GeoServer Vulnerability CVE-2024-36401 for initial access. By understanding these TTPs, organizations can enhance their defenses against similar threats.

CISA recommends organizations take the following actions:

• Prioritize Patch Management: Expedite patching of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities catalog, with a focus on public-facing systems.
• Strengthen Incident Response Plans: Regularly update, test, and maintain incident response plans, ensuring they include procedures for engaging third-party responders and deploying security tools without delay.
• Enhance Threat Monitoring: Implement centralized, out-of-band logging and ensure security operations centers continuously monitor and investigate abnormal network activity to detect and respond to malicious activity effectively.

CISA urges organizations to apply these lessons learned to bolster their security posture, improve preparedness, and reduce the risk of future compromises. For additional details, review the full cybersecurity advisory.

CISA released six Industrial Control Systems (ICS) advisories on September 23, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-266-01 AutomationDirect CLICK PLUS
• ICSA-25-266-02 Mitsubishi Electric MELSEC-Q Series CPU Module
• ICSA-25-266-03 Schneider Electric SESU
• ICSA-25-266-04 Viessmann Vitogate 300
• ICSA-25-023-02 Hitachi Energy RTU500 Series Product (Update A)
• ICSA-25-093-01 Hitachi Energy RTU500 Series (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

SonicWall released a security advisory to assist their customers with protecting systems impacted by the MySonicWall cloud backup file incident. SonicWall’s investigation found that a malicious actor performed a series of brute force techniques against their MySonicWall.com web portal to gain access to a subset of customers’ preference files stored in their cloud backups. While credentials within the files were encrypted, the files also included information that actors can use to gain access to customers’ SonicWall Firewall devices. 

CISA recommends all SonicWall customers follow guidance in the advisory,[1] which includes logging into their customer account to verify whether their device is at risk. Customers with at-risk devices should implement the advisory’s containment and remediation guidance immediately. 

[1] Sonicwall.com, MySonicWall Cloud Backup File Incident, accessed September 22, 2025, https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330.