|
1 | 1 | { |
2 | 2 | "title": "CISA Catalog of Known Exploited Vulnerabilities", |
3 | | - "catalogVersion": "2025.05.30", |
4 | | - "dateReleased": "2025-05-30T21:01:55.3914Z", |
5 | | - "count": 1352, |
| 3 | + "catalogVersion": "2025.06.02", |
| 4 | + "dateReleased": "2025-06-02T17:47:59.1391Z", |
| 5 | + "count": 1357, |
6 | 6 | "vulnerabilities": [ |
| 7 | + { |
| 8 | + "cveID": "CVE-2021-32030", |
| 9 | + "vendorProject": "ASUS", |
| 10 | + "product": "Routers", |
| 11 | + "vulnerabilityName": "ASUS Routers Improper Authentication Vulnerability", |
| 12 | + "dateAdded": "2025-06-02", |
| 13 | + "shortDescription": "ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and\/or end-of-service (EoS). Users should discontinue product utilization.", |
| 14 | + "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", |
| 15 | + "dueDate": "2025-06-23", |
| 16 | + "knownRansomwareCampaignUse": "Unknown", |
| 17 | + "notes": "https:\/\/www.asus.com\/us\/supportonly\/lyra%20mini\/helpdesk_bios\/ ; https:\/\/www.asus.com\/us\/supportonly\/rog%20rapture%20gt-ac2900\/helpdesk_bios\/; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-32030", |
| 18 | + "cwes": [ |
| 19 | + "CWE-287" |
| 20 | + ] |
| 21 | + }, |
| 22 | + { |
| 23 | + "cveID": "CVE-2025-3935", |
| 24 | + "vendorProject": "ConnectWise", |
| 25 | + "product": "ScreenConnect", |
| 26 | + "vulnerabilityName": "ConnectWise ScreenConnect Improper Authentication Vulnerability", |
| 27 | + "dateAdded": "2025-06-02", |
| 28 | + "shortDescription": "ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.", |
| 29 | + "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", |
| 30 | + "dueDate": "2025-06-23", |
| 31 | + "knownRansomwareCampaignUse": "Unknown", |
| 32 | + "notes": "https:\/\/www.connectwise.com\/company\/trust\/security-bulletins\/screenconnect-security-patch-2025.4 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-3935", |
| 33 | + "cwes": [ |
| 34 | + "CWE-287" |
| 35 | + ] |
| 36 | + }, |
| 37 | + { |
| 38 | + "cveID": "CVE-2025-35939", |
| 39 | + "vendorProject": "Craft CMS", |
| 40 | + "product": "Craft CMS", |
| 41 | + "vulnerabilityName": "Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability", |
| 42 | + "dateAdded": "2025-06-02", |
| 43 | + "shortDescription": "Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.", |
| 44 | + "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", |
| 45 | + "dueDate": "2025-06-23", |
| 46 | + "knownRansomwareCampaignUse": "Unknown", |
| 47 | + "notes": "https:\/\/github.com\/craftcms\/cms\/pull\/17220 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-35939", |
| 48 | + "cwes": [ |
| 49 | + "CWE-472" |
| 50 | + ] |
| 51 | + }, |
| 52 | + { |
| 53 | + "cveID": "CVE-2024-56145", |
| 54 | + "vendorProject": "Craft CMS", |
| 55 | + "product": "Craft CMS", |
| 56 | + "vulnerabilityName": "Craft CMS Code Injection Vulnerability", |
| 57 | + "dateAdded": "2025-06-02", |
| 58 | + "shortDescription": "Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.", |
| 59 | + "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", |
| 60 | + "dueDate": "2025-06-23", |
| 61 | + "knownRansomwareCampaignUse": "Unknown", |
| 62 | + "notes": "https:\/\/github.com\/craftcms\/cms\/security\/advisories\/GHSA-2p6p-9rc9-62j9 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-56145", |
| 63 | + "cwes": [ |
| 64 | + "CWE-94" |
| 65 | + ] |
| 66 | + }, |
| 67 | + { |
| 68 | + "cveID": "CVE-2023-39780", |
| 69 | + "vendorProject": "ASUS", |
| 70 | + "product": "RT-AX55 Routers", |
| 71 | + "vulnerabilityName": "ASUS RT-AX55 Routers OS Command Injection Vulnerability", |
| 72 | + "dateAdded": "2025-06-02", |
| 73 | + "shortDescription": "ASUS RT-AX55 devices contain a OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands.", |
| 74 | + "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", |
| 75 | + "dueDate": "2025-06-23", |
| 76 | + "knownRansomwareCampaignUse": "Unknown", |
| 77 | + "notes": "https:\/\/www.asus.com\/networking-iot-servers\/wifi-6\/all-series\/rt-ax55\/helpdesk_bios\/?model2Name=RT-AX55 ; https:\/\/www.asus.com\/content\/asus-product-security-advisory\/ ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-39780", |
| 78 | + "cwes": [ |
| 79 | + "CWE-78" |
| 80 | + ] |
| 81 | + }, |
7 | 82 | { |
8 | 83 | "cveID": "CVE-2025-4632", |
9 | 84 | "vendorProject": "Samsung", |
|
0 commit comments