The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding five new security flaws that are confirmed to be under active exploitation.
The newly listed vulnerabilities, spanning critical systems such as databases, network operating systems, email gateways, and file transfer platforms, include CVE-2021-21311, CVE-2025-20352, CVE-2025-10035, CVE-2025-59689, and CVE-2025-32463.
Detailed Breakdown of the Five Vulnerabilities
CVE-2021-21311 – Adminer SSRF Vulnerability
First disclosed in early 2021, this Server-Side Request Forgery (SSRF) vulnerability affects Adminer versions from 4.0.0 to just before 4.7.9. Adminer, a lightweight PHP-based database management tool, is vulnerable to manipulation of URL parameters that can result in unauthorized internal resource access.
With a CVSS score of 7.2, this issue is categorized as high severity. Attackers exploiting this flaw could use Adminer to proxy requests to otherwise inaccessible systems, potentially enabling lateral movement or reconnaissance within internal networks.
CVE-2025-20352 – Cisco IOS / IOS XE Stack-Based Buffer Overflow
This newly disclosed vulnerability in Cisco’s IOS and IOS XE operating systems affects multiple versions supporting the Simple Network Management Protocol (SNMP). Identified as a stack-based buffer overflow, the flaw can be triggered by an attacker sending specially crafted SNMP packets.
Depending on the attacker’s privileges, the result can range from a simple denial of service to full remote code execution as the root user. With a CVSS score of 7.7, this vulnerability poses a substantial threat to enterprise and government network infrastructure.
CVE-2025-10035 – GoAnywhere MFT Deserialization Vulnerability
Affecting GoAnywhere MFT versions 0 through 7.8.3, this critical flaw (CVSS 10.0) lies in the application’s handling of serialized data in its License Servlet. Malicious actors can exploit this deserialization weakness to execute arbitrary commands, making it a prime target for attackers seeking to compromise sensitive file transfer systems. Fortra, the vendor, urges users to apply patches immediately and reinforce input validation mechanisms.
CVE-2025-59689 – Libraesva Email Gateway Command Injection
This vulnerability, found in multiple versions of Libraesva’s Email Security Gateway (ESG), allows attackers to inject and execute shell commands via improperly sanitized email attachments.
While rated medium severity (CVSS 6.1), its presence in a security appliance that handles inbound and outbound email traffic makes it a valuable entry point for attackers. Successful exploitation can result in system compromise and potential internal access.
CVE-2025-32463 – Sudo Privilege Escalation via Untrusted Control Sphere
Sudo, a core utility in Unix and Linux systems, is vulnerable in versions from 1.9.14 to 1.9.17p1. The vulnerability stems from unsafe handling of external control functionality, particularly involving /etc/nsswitch.conf in chroot environments. With a critical CVSS rating of 9.3, exploitation could grant an unprivileged user root-level access.
Why Inclusion in the KEV Catalog Matters
The addition of these vulnerabilities, CVE-2021-21311, CVE-2025-20352, CVE-2025-10035, CVE-2025-59689, and CVE-2025-32463, signals that each is confirmed to be actively exploited.
CISA’s KEV list is not theoretical; it reflects real-world threats, often leveraged by threat actors in advanced persistent campaigns or ransomware operations. The catalog acts as a call to action, urging organizations to remediate vulnerabilities that attackers are known to be using right now.
Affected Products and Versions
- Cisco IOS/IOS XE – Over 349 IOS XE versions and 21 Catalyst SD-WAN releases are affected by CVE-2025-20352.
- Fortra GoAnywhere MFT – All versions up to 7.8.3 are impacted by CVE-2025-10035.
- Libraesva ESG – Multiple branches from 4.5 to 5.5 are vulnerable to CVE-2025-59689.
- Sudo – Versions from 1.9.14 to before 1.9.17p1 are affected by CVE-2025-32463.
- Adminer – Versions up to 4.7.8 require upgrading to at least 4.7.9 to address CVE-2021-21311.
Mitigation and Response Strategies
CISA advises organizations to:
- Apply available patches as soon as vendor updates are released.
- Implement compensating controls where patching is not immediately feasible, such as access restrictions, input validation, and segmentation.
- Enhance monitoring and detection for signs of exploitation attempts, such as suspicious SNMP traffic, unusual command execution, or unexpected Adminer behavior.
- Conduct threat hunting activities focusing on privilege escalation attempts or anomalous file transfer activity.
