The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog with four new vulnerabilities, adding to the growing list of cyber risks that have been actively exploited.
These newly added vulnerabilities are associated with threats that malicious cyber actors frequently exploit, posing a serious risk to federal agencies and various organizations. The vulnerabilities affect widely used systems such as Linux and VMware products, highlighting the importance of quick response and patching to mitigate potential damage.
The Newly Added Flaws to Known Exploited Vulnerabilities Catalog
CISA’s latest update to the Known Exploited Vulnerabilities Catalog includes the following vulnerabilities, which have been confirmed to be exploited in active attacks:
1. CVE-2024-50302: Linux Kernel Use of Uninitialized Resource Vulnerability
Published on November 19, 2024, this vulnerability in the Linux kernel has been linked to the failure to properly initialize a report buffer. This buffer, used by multiple drivers, could be exploited to leak kernel memory. As the vulnerability is related to a core component of the Linux operating system, it could lead to serious consequences for users of affected versions. The vulnerability is addressed by zero-initializing the buffer during its allocation, which prevents the possibility of leaking kernel data.
2. CVE-2025-22225: VMware ESXi Arbitrary Write Vulnerability
Released on March 4, 2025, this critical vulnerability affects VMware ESXi. It allows an attacker, with the right privileges in the VMX process, to trigger an arbitrary kernel write. This can lead to an escape from the virtual machine’s sandbox environment, allowing unauthorized access to the host system. The vulnerability is rated with a CVSS score of 8.2 (High), indicating that it is a severe threat requiring immediate attention.
3. CVE-2025-22224: VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
Also disclosed on March 4, 2025, this vulnerability arises from a Time-of-Check to Time-of-Use (TOCTOU) race condition. This flaw enables an attacker with local administrative privileges on a virtual machine to execute arbitrary code by exploiting the race condition. The CVSS score of 9.3 (Critical) reflects the severity of this vulnerability, as it can potentially allow attackers to compromise the integrity of the virtual machine host.
4. CVE-2025-22226: VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability
The last of the vulnerabilities added to the CISA Known Exploited Vulnerabilities Catalog on March 4, 2025, pertains to an information disclosure flaw in VMware ESXi, Workstation, and Fusion. This issue arises due to an out-of-bounds read in the HGFS module, which could allow a malicious actor to leak memory from the VMX process. While not as severe as the other vulnerabilities, it still poses a 7.1 (High) CVSS risk, making it a concern for users running vulnerable versions.
Risks Posed by These Vulnerabilities
These vulnerabilities are more than just theoretical risks; they are actively being exploited by cyber adversaries. The Known Exploited Vulnerabilities Catalog maintained by CISA is designed to help organizations quickly identify and patch vulnerabilities that are already being targeted in attacks. As these vulnerabilities are often leveraged as attack vectors, it is critical for organizations, especially those within the federal government, to prioritize their remediation.
The CISA catalog serves as an essential resource for federal agencies, guiding them on which vulnerabilities need immediate attention to reduce the risk of data breaches and system compromise. Exploited vulnerabilities, such as those recently added to the catalog, often act as gateways for malicious actors to gain unauthorized access, elevate privileges, or disrupt services.
Details of the Affected Products
- CVE-2024-50302 affects the Linux kernel, with various versions being vulnerable to exploitation. Linux users need to apply patches immediately to ensure they are not exposed to these security risks.
- CVE-2025-22225, CVE-2025-22224, and CVE-2025-22226 affect VMware ESXi, Workstation, and Fusion. These vulnerabilities span multiple versions of VMware products, impacting both cloud infrastructure and enterprise environments. VMware administrators are strongly encouraged to update their systems to the latest versions to mitigate potential exploitation.
Conclusion
Given the severity of the vulnerabilities recently added to CISA’s Known Exploited Vulnerabilities Catalog, it is crucial for organizations to quickly apply security patches and follow the guidance provided by CISA and affected vendors regarding vulnerable versions.
For instance, CVE-2025-22225 affects VMware ESXi versions prior to ESXi80U3d-24585383, and CVE-2025-22224 impacts VMware Workstation 17.x before version 17.6.3. Organizations should prioritize patching, monitor the catalog for updates, and implement security best practices such as network segmentation, continuous monitoring, and endpoint protection tools to minimize risks.
