The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added 4 safety flaws to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation within the wild.
The checklist of flaws is as follows –
- CVE-2014-3931 (CVSS rating: 9.8) – A buffer overflow vulnerability in Multi-Router Wanting Glass (MRLG) that might permit distant attackers to trigger an arbitrary reminiscence write and reminiscence corruption
- CVE-2016-10033 (CVSS rating: 9.8) – A command injection vulnerability in PHPMailer that might permit an attacker to execute arbitrary code throughout the context of the applying or lead to a denial-of-service (DoS) situation
- CVE-2019-5418 (CVSS rating: 7.5) – A path traversal vulnerability in Ruby on Rails’ Motion View that might trigger contents of arbitrary information on the goal system’s file system to be uncovered
- CVE-2019-9621 (CVSS rating: 7.5) – A Server-Aspect Request Forgery (SSRF) vulnerability within the Zimbra Collaboration Suite that might lead to unauthorized entry to inside sources and distant code execution
There are at present no public studies on how the primary three vulnerabilities are being exploited in real-world assaults. The abuse of CVE-2019-9621, however, was attributed by Development Micro to a China-linked risk actor often called Earth Lusca in September 2023 to drop internet shells and Cobalt Strike.
In gentle of lively exploitation, Federal Civilian Government Department (FCEB) businesses are advisable to use the required updates by July 28, 2025, to safe their networks.
Technical Particulars of Citrix Bleed 2 Out
The event comes as watchTowr Labs and Horizon3.ai have launched technical analyses for a crucial safety flaw in Citrix NetScaler ADC (CVE-2025-5777 aka Citrix Bleed 2), which is assessed to have come beneath lively exploitation.
“We’re seeing lively exploitation of each CVE-2025-5777 and CVE-2025-6543 within the wild,” watchTowr CEO Benjamin Harris advised The Hacker Information. “This vulnerability permits studying of reminiscence, which we consider attackers are utilizing to learn delicate data (for instance, data despatched inside HTTP requests which can be then processed in-memory), credentials, legitimate Citrix session tokens, and extra.”
The findings present that it is doable to ship a login request to the “/p/u/doAuthentication.do” endpoint and trigger it (and different endpoints prone to the flaw) to replicate the user-supplied login worth within the response, no matter success or failure.
Horizon3.ai famous that the vulnerability might be used to leak roughly 127 bytes of information through a specifically crafted HTTP request with a modified “login=” with out an equal signal or worth, thereby making it doable to extract session tokens or different delicate data.
The shortcoming, watchTowr defined, stems from using the snprintf perform together with a format string containing the “%.*s” format.
“The %.*s format tells snprintf: ‘Print as much as N characters, or cease on the first null byte (�) – whichever comes first.’ That null byte finally seems someplace in reminiscence, so whereas the leak does not run indefinitely, you continue to get a handful of bytes with every invocation,” the corporate stated.
“So, each time you hit that endpoint with out the =, you pull extra uninitialized stack knowledge into the response. Repeat it sufficient occasions, and finally, you would possibly land on one thing beneficial.”