The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added 5 security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Recognized Exploited Vulnerabilities (KEV) catalog, urging federal companies to patch them by April 3, 2026.
The vulnerabilities which have come beneath exploitation are listed under –
- CVE-2025-31277 (CVSS rating: 8.8) – A vulnerability in Apple WebKit that would lead to reminiscence corruption when processing maliciously crafted net content material. (Mounted in July 2025)
- CVE-2025-43510 (CVSS rating: 7.8) – A reminiscence corruption vulnerability in Apple’s kernel element that would enable a malicious utility to trigger surprising modifications in reminiscence shared between processes. (Mounted in December 2025)
- CVE-2025-43520 (CVSS rating: 8.8) – A reminiscence corruption vulnerability in Apple’s kernel element that would enable a malicious utility to trigger surprising system termination or write kernel reminiscence. (Mounted in December 2025)
- CVE-2025-32432 (CVSS rating: 10.0) – A code injection vulnerability in Craft CMS that would enable a distant attacker to execute arbitrary code. (Mounted in April 2025)
- CVE-2025-54068 (CVSS rating: 9.8) – A code injection vulnerability in Laravel Livewire that would enable unauthenticated attackers to attain distant command execution in particular eventualities. (Mounted in July 2025)
The addition of the three Apple vulnerabilities to the KEV catalog comes within the wake of studies from Google Menace Intelligence Group (GTIG), iVerify, and Lookout about an iOS exploit equipment codenamed DarkSword that leverages these shortcomings, together with three bugs, to deploy numerous malware households like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for knowledge theft.
CVE-2025-32432 is assessed to have been exploited as a zero-day by unknown risk actors since February 2025, per Orange Cyberdefense SensePost. Since then, an intrusion set tracked as Mimo (aka Hezb) has additionally been noticed exploiting the vulnerability to deploy a cryptocurrency miner and residential proxyware.
Rounding off the checklist is CVE-2025-54068, whose exploitation was just lately flagged by the Ctrl-Alt-Intel Menace Analysis staff as a part of assaults mounted by the Iranian state-sponsored hacking group, MuddyWater (aka Boggy Serpens).
In a report printed earlier this week, Palo Alto Networks Unit 42 known as out the adversary’s constant focusing on of diplomatic and important infrastructure, together with vitality, maritime, and finance, throughout the Center East and different strategic targets worldwide.
“Whereas social engineering stays its defining trait, the group can also be rising its technological capabilities,” Unit 42 mentioned. “Its numerous toolset consists of AI-enhanced malware implants that incorporate anti-analysis methods for long-term persistence. This mixture of social engineering and quickly developed instruments creates a potent risk profile.”
“To help its large-scale social engineering campaigns, Boggy Serpens makes use of a custom-built, web-based orchestration platform,” Unit 42 mentioned. “This device allows operators to automate mass electronic mail supply whereas sustaining granular management over sender identities and goal lists.”
Attributed to the Iranian Ministry of Intelligence and Safety (MOIS), the group is primarily centered on cyber espionage, though it has additionally been linked to disruptive operations focusing on the Technion Israel Institute of Know-how by adopting the DarkBit ransomware persona.
One of many defining hallmarks of MuddyWater’s tradecraft has been the usage of hijacked accounts belonging to official authorities and company entities in its spear-phishing assaults, and abuse of trusted relationships to evade reputation-based blocking methods and ship malware.
In a sustained marketing campaign focusing on an unnamed nationwide marine and vitality firm within the U.A.E. between August 16, 2025, and February 11, 2026, the risk actor is claimed to have carried out 4 distinct waves of assault, resulting in the deployment of varied malware households, together with GhostBackDoor and Nuso (aka HTTP_VIP). Among the different notable instruments within the risk actor’s arsenal embrace UDPGangster and LampoRAT (aka CHAR).
“Boggy Serpens’ current exercise exemplifies a maturing risk profile, because the group integrates its established methodologies with refined mechanisms for operational persistence,” Unit 42 mentioned. “By diversifying its improvement pipeline to incorporate fashionable coding languages like Rust and AI-assisted workflows, the group creates parallel tracks that make sure the redundancy wanted to maintain a excessive operational tempo.”
