The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws affecting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch them by April 3, 2026.
The vulnerabilities being exploited are as follows:
CVE-2025-31277 (CVSS Score: 8.8) – A vulnerability in Apple WebKit could lead to memory corruption when processing maliciously crafted web content. (Fixed in July 2025) CVE-2025-43510 (CVSS Score: 7.8) – A memory corruption vulnerability in Apple’s kernel component could allow a malicious application to cause unexpected changes to memory shared between processes. (Fixed in December 2025) CVE-2025-43520 (CVSS Score: 8.8) – A memory corruption vulnerability in Apple’s kernel component could allow a malicious application to cause an unexpected system termination or write to kernel memory. (Fixed in December 2025) CVE-2025-32432 (CVSS Score: 10.0) – A code injection vulnerability in Craft CMS could allow a remote attacker to execute arbitrary code. (Fixed in April 2025) CVE-2025-54068 (CVSS Score: 9.8) – A code injection vulnerability in Laravel Livewire could allow an unauthenticated attacker to execute remote commands in certain scenarios. (revised July 2025)
The addition of the three Apple vulnerabilities to the KEV catalog follows reports from the Google Threat Intelligence Group (GTIG), iVerify, and Lookout about an iOS exploit kit codenamed DarkSword that leverages these flaws and three bugs to deploy various malware families, including GHOSTBLADE, GHOSTKNIFE, and GHOSTSABRE, to steal data.
According to Orange Cyberdefense SensePost, CVE-2025-32432 has been assessed as a zero-day exploit by unknown attackers since February 2025. Since then, an intrusion set tracked as Mimo (also known as Hezb) has also been observed exploiting this vulnerability to deploy cryptocurrency miners and residential proxyware.
Rounding out the list is CVE-2025-54068. This exploit was recently reported by the Ctrl-Alt-Intel Threat Research Team as part of an attack by the Iranian state-sponsored hacking group MuddyWater (also known as Boggy Serpens).
Palo Alto Networks’ 42nd Unit, in a report released earlier this week, accused adversaries of consistently targeting diplomatic and critical infrastructure, including energy, maritime, and financial, across the Middle East and other strategic targets around the world.
“While social engineering remains its hallmark, the group has also improved its technical capabilities,” Unit 42 said. “Its diverse toolset includes AI-enhanced malware implants that incorporate anti-analysis techniques for long-term persistence. This combination of social engineering and rapidly developed tools creates a powerful threat profile.”
“To support large-scale social engineering campaigns, Boggy Serpens uses a custom-built web-based orchestration platform,” Unit 42 said. “This tool allows operators to automate high-volume email distribution with granular control over sender identities and target lists.”
The group, which belongs to Iran’s Ministry of Intelligence and Security (MOIS), primarily focuses on cyber espionage, but is also said to have been involved in a destructive operation targeting the Technion-Israel Institute of Technology by adopting the DarkBit ransomware persona.
One of the defining features of MuddyWater’s trading methods is the use of compromised accounts belonging to government agencies and corporations in spear-phishing attacks, as well as the exploitation of trust relationships to circumvent reputation-based blocking systems and distribute malware.
In an ongoing campaign targeting an unnamed national marine and energy company in the United Arab Emirates between August 16, 2025 and February 11, 2026, threat actors allegedly carried out four different attack waves, leading to the deployment of various malware families, including GhostBackDoor and Nuso (also known as HTTP_VIP). Other notable tools in threat actors’ arsenals include UDPGangster and LampoRAT (also known as CHAR).
“Bogie Serpens’ recent activities exemplify a maturing threat profile as the group integrates established methodologies and sophisticated mechanisms for continued operations,” Unit 42 said. “By diversifying its development pipeline to include modern coding languages like Rust and AI-assisted workflows, the group is creating parallel tracks and ensuring the redundancy needed to maintain a high operational tempo.”
Source link
