CISA News

CISA has updated this Alert to include an additional vulnerability, CVE-2025-58034, and its relation to CVE-2025-64446, and associated resources.

CISA is aware of the exploitation of two vulnerabilities, CVE-2025-64446 and CVE-2025-58034, in Fortinet FortiWeb, a web application firewall. CISA is also aware that threat actors could exploit CVE-2025-64446 as an initial access vector and then chain CVE-2025-58034 to escalate privileges on a target system. These vulnerabilities chained together could lead to unauthenticated remote code execution against vulnerable FortiWeb products.

CVE-2025-64446 affects the following FortiWeb versions:1 

• 8.0.0 through 8.0.1
• 7.6.0 through 7.6.4
• 7.4.0 through 7.4.9
• 7.2.0 through 7.2.11
• 7.0.0 through 7.0.11

CVE-2025-58034 affects the following FortiWeb versions:2 

• 8.0.0 through 8.0.1
• 7.6.0 through 7.6.5
• 7.4.0 through 7.4.10
• 7.2.0 through 7.2.11
• 7.0.0 through 7.0.11

CVE-2025-64446 is a relative path traversal vulnerability (CWE-23: Relative Path Traversal) that may allow an unauthenticated malicious actor to execute administrative commands on a system via specially crafted HTTP or HTTPS requests.

CVE-2025-58034 is an OS Command Injection vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command [‘OS Command Injection’]) that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

Fortinet recommends affected organizations:

Apply the necessary upgrades listed in the table below and use Fortinet’s guidance to address CVE-2025-64446.

Version Affected  Solution FortiWeb 8.0 8.0.0 through 8.0.1 Upgrade to 8.0.2 or above FortiWeb 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above FortiWeb 7.4 7.4.0 through 7.4.9 Upgrade to 7.4.10 or above FortiWeb 7.2 7.2.0 through 7.2.11 Upgrade to 7.2.12 or above FortiWeb 7.0 7.0.0 through 7.0.11 Upgrade to 7.0.12 or above

Apply the necessary upgrades listed in the table below and use Fortinet’s guidance to address CVE-2025-58034.

Version Affected  Solution FortiWeb 8.0 8.0.0 through 8.0.1 Upgrade to 8.0.2 or above FortiWeb 7.6 7.6.0 through 7.6.5 Upgrade to 7.6.6 or above FortiWeb 7.4 7.4.0 through 7.4.10 Upgrade to 7.4.11 or above FortiWeb 7.2 7.2.0 through 7.2.11 Upgrade to 7.2.12 or above FortiWeb 7.0 7.0.0 through 7.0.11 Upgrade to 7.0.12 or above

If you cannot immediately upgrade the affected systems, disable HTTP or HTTPS for internet-facing interfaces. Note: Limiting access to HTTP/HTTPS management interfaces to internal networks is a best practice that reduces, but does not eliminate, risk; upgrading the affected systems remains essential and is the only way to fully remediate this vulnerability.

After upgrading, review configuration and review logs for unexpected modifications or the addition of unauthorized administrator accounts.

CISA added CVE-2025-64446 and CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) Catalog on Nov. 14, 2025 and Nov. 18, 2025, respectively.

Disclaimer

Note: This Alert may be updated to reflect new guidance issued by CISA or other parties. 

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.   

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Notes: 

1. FortiGuard Labs, Path confusion vulnerability in GUI (November 14, 2025), https://fortiguard.fortinet.com/psirt/FG-IR-25-910.
2. FortiGuard Labs, Multiple OS command injection in API and CLI (November 18, 2025), https://fortiguard.fortinet.com/psirt/FG-IR-25-513.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-64446 Fortinet FortiWeb Path Traversal Vulnerability 

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.   

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation, Department of Defense Cyber Crime Center, Department of Health and Human Services, and international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware, to provide network defenders with the latest indicators of compromise, tactics, techniques, and procedures, and detection methods associated with Akira ransomware activity.

This advisory reflects new findings as of Nov. 13, 2025, highlighting Akira ransomware’s evolution and continued threat to critical infrastructure sectors. Akira ransomware threat actors, associated with groups such as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, have expanded their capabilities, targeting small and medium-sized businesses as well as larger organizations across sectors including Manufacturing, Educational Institutions, Information Technology, Healthcare, Financial, and Food and Agriculture.

Key Updates:

• Initial Access: Threat actors exploit vulnerabilities in edge devices and backup servers, such as authentication bypass, cross-site scripting, buffer overflow, and compromise credentials through brute-force techniques.
• Discovery: Threat actors use command line techniques to accomplish network and domain discovery.
• Defense Evasion: Threat actors use remote management and monitoring tools such as Anydesk and LogMeIn to mimic administrator activity, and modify firewall settings, terminate antivirus processes and uninstall EDR systems.
• Privilege Escalation: Threat actors deploy POORTRY malware to modify BYOVD configurations on vulnerable drivers, create administrator accounts, steal administrator login credentials, and bypass VMDK protections, as well as exploit Veeam vulnerabilities.
• Lateral Movement: Threat actors use remote access tools and protocols like RDP, SSH, and steal Kerberos authentication tickets to move within networks.
• Command and Control: Threat actors use Ngrok to establish encrypted sessions, SystemBC malware as a remote access trojan, and STONETOP malware to deploy Akira payloads.
• Exfiltration and Impact: Threat actors use protocols such as FTP, SFTP, and cloud services to exfiltrate data.
• Encryption: Threat actors use a new Akira_v2 ransomware variant that enables faster encryption speeds and further inhibits system recovery.

CISA and its partners strongly encourage organizations to apply patches for known vulnerabilities, especially those affecting VPN products and backup servers, and enforce multifactor authentication for all remote access services. Organizations should monitor unauthorized domain account creation and unusual network activity while deploying endpoint detection and response solutions to enhance security. 

For more information, see CISA’s updated #StopRansomware Guide.

CISA released 18 Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

•  ICSA-25-317-01 Mitsubishi Electric MELSEC iQ-F Series
• ICSA-25-317-02 AVEVA Application Server IDE
• ICSA-25-317-03 AVEVA Edge
• ICSA-25-317-04 Brightpick Mission Control / Internal Logic Control
• ICSA-25-317-05 Rockwell Automation Verve Asset Manager
• ICSA-25-317-06 Rockwell Automation Studio 5000 Simulation Interface
• ICSA-25-317-07 Rockwell Automation FactoryTalk DataMosaix Private Cloud
• ICSA-25-317-08 General Industrial Controls Lynx+ Gateway
• ICSA-25-317-09 Rockwell Automation FactoryTalk Policy Manager
• ICSA-25-317-10 Rockwell Automation AADvance-Trusted SIS Workstation
• ICSA-25-317-11 Siemens SICAM P850 family and SICAM P855 family
• ICSA-25-317-12 Siemens Spectrum Power 4
• ICSA-25-317-13 Siemens LOGO! 8 BM Devices
• ICSA-25-317-14 Siemens Solid Edge
• ICSA-25-317-15 Siemens COMOS
• ICSA-25-317-16 Siemens Altair Grid Engine
• ICSA-25-317-17 Siemens Software Center and Solid Edge
• ICSA-25-273-04 Festo Controller CECC-S,-LK,-D Family Firmware (Update A) 

CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations.

CISA has released Emergency Cisco Directive 25-03 Implementation Guidance to assist federal agencies in addressing critical vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices. Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, issued on Sept. 25, identified known vulnerabilities CVE-2025-20333 and CVE-2025-20362, and mandated immediate action to mitigate risks. Threat actors continue to target these devices, posing significant risk to all organizations. 

The implementation guidance provides information on the minimum software versions that address these vulnerabilities and direct federal agencies to conduct corrective patching measures on devices that are not compliant with these requirements. CISA is aware of multiple organizations that believed they had applied the necessary updates but had not in fact updated to the minimum software version. CISA recommends all organizations verify the correct updates are applied. For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity. CISA urges all agencies with ASAs and Firepower devices to follow this guidance. 

See Emergency Directive 25-03 Implementation Guidance and Temporary Risk Mitigation Guidance for Agencies in the Process of ED 25-03 Compliance for detailed recommendations and CISA’s RayDetect scanner to examine ASA core dumps for evidence of RayInitiator compromise.

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-9242 WatchGuard Firebox Out-of-Bounds Write Vulnerability
• CVE-2025-12480 Gladinet Triofox Improper Access Control Vulnerability
• CVE-2025-62215 Microsoft Windows Race Condition Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-21042 Samsung Mobile Devices Out-of-Bounds Write Vulnerability  

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released four Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-25-310-01 Advantech DeviceOn iEdge
• ICSA-25-310-02 Ubia Ubox
• ICSA-25-310-03 ABB FLXeon Controllers
• ICSA-25-282-01 Hitachi Energy Asset Suite (Update A)

CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-11371 Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
• CVE-2025-48703 CWP Control Web Panel OS Command Injection Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.   

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA released five Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-25-308-01 Fuji Electric Monitouch V-SFT-6
• ICSA-25-308-02 Survision License Plate Recognition Camera
• ICSA-25-308-03 Delta Electronics CNCSoft-G2
• ICSA-25-308-04 Radiometrics VizAir
• ICSA-25-308-05 IDIS ICM Viewer 

CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations. 

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-24893 XWiki Platform Eval Injection Vulnerability
• CVE-2025-41244 Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.   

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

Today, CISA, in partnership with the National Security Agency and international cybersecurity partners, released Microsoft Exchange Server Security Best Practices, a guide to help network defenders harden on-premises Exchange servers against exploitation by malicious actors.

Threat activity targeting Exchange continues to persist, and organizations with unprotected or misconfigured Exchange servers remain at high risk of compromise. 

Best practices in this guide focus on hardening user authentication and access, ensuring strong network encryption, and minimizing application attack surfaces. CISA recommends organizations also decommission any remaining end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365, as retaining the “last Exchange server” can expose organizations to ongoing exploitation activity. 

CISA recommends organizations implement Microsoft Exchange Server Best Practices and take steps to decommission end-of-life on-premises Exchange servers in hybrid environments to significantly reduce their risk from cyber threats. 

CISA released two Industrial Control Systems (ICS). These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-25-303-01 International Standards Organization ISO 15118-2
• ICSA-25-303-02 Hitachi Energy TropOS 

CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations.

CISA released three Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-25-301-01 Schneider Electric EcoStruxure
• ICSMA-25-301-01 Vertikal Systems Hospital Manager Backend Services
• ICSA-24-352-04 Schneider Electric Modicon (Update B) 

CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations. 

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-6204 Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
• CVE-2025-6205 Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

Updated October 29, 2025: CISA has updated this Alert to include revised information on vulnerable product identification, potential threat activity detections, and additional resources.

Microsoft released an update to address a critical remote code execution vulnerability impacting Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025), CVE-2025-59287, that a prior update did not fully mitigate. 

(Updated October 29, 2025):

CISA strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance, 1 or risk an unauthenticated actor achieving remote code execution with SYSTEM-level privileges. Immediate actions for organizations with affected products are:

1. Identify servers vulnerable to exploitation (i.e., affected servers with WSUS Server Role enabled and ports open to TCP 8530/TCP 8531) for priority mitigation:
   1. Run the following command in PowerShell to check if WSUS is in an installed state: Get-WindowsFeature -Name UpdateServices; and/or
   2. Leverage the Server Manager Dashboard, and check if WSUS enablement is turned on as a Server Role.
2. Apply the out-of-band security update released on October 23, 2025, to all servers identified in Step 1. Reboot WSUS server(s) after installation to complete mitigation. If organizations are unable to apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports TCP 8530/TCP 8531, the default listeners for WSUS, at the host firewall. Of note, do not undo either of these workarounds until your organization has installed the update.
3. Apply updates to remaining Windows servers. Reboot servers after installation to complete mitigation.

In addition to checking for endpoint security platform events, CISA recommends that potentially affected organizations investigate signs of threat activity on their networks:

• Monitor and vet suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and/or w3wp.exe. Keep in mind:
  • These child processes may represent legitimate activity; and
  • Exploitation of CVE-2025-59287 on the target system could involve additional services beyond WSUS parent processes.
• Monitor and vet nested PowerShell processes using base64-encoded PowerShell commands.

(End of Update)

CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog on October 24, 2025.

(Updated October 29, 2025):

See the following resources for additional guidance on this vulnerability:

• Huntress: Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287)
• Palo Alto Networks Unit 42: Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated October 28, 2025)

(End of Update)

Disclaimer

Note: CISA may update this Alert to reflect new guidance issued by CISA or other parties. 

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Notes

1. Microsoft.com, Windows Server Update Service (WSUS) Remote Code Execution Vulnerability, accessed October 24, 2025, CVE-2025-59287 - Security Update Guide - Microsoft - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-54236 Adobe Commerce and Magento Improper Input Validation Vulnerability
• CVE-2025-59287 Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and poses significant risks to the federal enterprise.   

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA released eight Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-25-296-01 AutomationDirect Productivity Suite
• ICSA-25-296-02 ASKI Energy ALS-Mini-S8 and ALS-Mini-S4
• ICSA-25-296-03 Veeder-Root TLS4B Automatic Tank Gauge System
• ICSA-25-296-04 Delta Electronics ASDA-Soft
• ICSMA-25-296-01 NIHON KOHDEN Central Monitor CNS-6201
• ICSA-25-037-02 Schneider Electric EcoStruxure (Update C)
• ICSA-24-116-02 Hitachi Energy MACH SCM (Update A)
• ICSA-25-259-01 Schneider Electric Altivar products, ATVdPAC module, ILC992 InterLink Converter (Update A) 

CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-61932 Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released 10 Industrial Control Systems (ICS) advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-294-01 Rockwell Automation 1783-NATR
• ICSA-25-294-02 Rockwell Automation Compact GuardLogix 5370
• ICSA-25-294-03 Siemens SIMATIC S7-1200 CPU V1/V2 Devices
• ICSA-25-294-04 Siemens RUGGEDCOM ROS Devices
• ICSA-25-294-05 CloudEdge Online Cameras and App
• ICSA-25-294-06 Raisecomm RAX701-GC Series
• ICSMA-25-294-01 Oxford Nanopore Technologies MinKNOW
• ICSA-25-035-07 Schneider Electric Pro-Face GP-Pro EX and Remote HMI (Update A)
• ICSA-24-354-07 Schneider Electric Modicon Controllers (Update A)
• ICSA-25-140-08 Schneider Electric Modicon Controllers (Update B) 

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.