The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four additional security vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, following evidence of active exploitation in the wild. The inclusion of these vulnerabilities underscores the urgent need for all organizations—particularly federal agencies—to assess exposure and apply necessary mitigations or patches.
Per CISA’s advisory issued on July 22, federal civilian executive branch agencies are required to remediate these vulnerabilities no later than July 28, 2025, in accordance with Binding Operational Directive (BOD) 22-01. However, security professionals across both public and private sectors are urged to take immediate action, as these vulnerabilities are being actively leveraged by threat actors for initial compromise and privilege escalation.
Summary of Newly Added Vulnerabilities
| CVE Identifier | Affected Products | Description |
|---|---|---|
| CVE-2025-54309 | CrushFTP File Server | An unprotected alternate channel vulnerability in CrushFTP enables remote attackers to bypass authentication over HTTPS and gain administrative access. This flaw has been actively exploited as of July 2025 and poses a significant risk of system takeover. |
| CVE-2025-6558 | Google Chrome (pre-v138.0.7204.157) | An input validation flaw in Chrome’s GPU sandbox allows remote attackers to escape the sandbox environment via crafted web content. The vulnerability has the potential to facilitate remote code execution on affected systems. |
| CVE-2025-2776 | SysAid On-Premises ITSM | A vulnerability related to improper handling of XML External Entity (XXE) inputs in SysAid’s IT service management software. Exploitation may result in information disclosure, remote code execution, or unauthorized system access. |
| CVE-2025-2775 | SysAid On-Premises ITSM | A variant of CVE-2025-2776, this flaw also stems from improper restriction of XXE references, providing similar avenues for exploitation. |
Implications and Action Items
The addition of these four entries to the KEV catalog signals a high degree of threat activity, as they have been confirmed to be used in real-world attacks. These vulnerabilities represent attractive targets for threat actors due to their ability to bypass access controls, escape sandboxing protections, and exfiltrate data.
