Overview

The Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog on May 1, 2025, by adding two critical vulnerabilities that have already been exploited in the wild. These updates exemplify the evolving and aggressive cyber threat landscape, impacting both open-source infrastructure and network security appliances widely used in government and private sectors. CISA's KEV Catalog, mandated under Binding Operational Directive 22-01 (BOD 22-01), now lists CVE-2024-38475, an improper output escaping vulnerability in Apache HTTP Server, and CVE-2023-44221, an OS command injection vulnerability affecting SonicWall SMA100 series appliances.

Both vulnerabilities demand immediate attention as they are actively exploited, with significant risks of widespread system compromise. While compliance with patching deadlines is mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies, CISA strongly urges all organizations to prioritize remediation to defend against these well-known attack vectors.

Background: The KEV Catalog and BOD 22-01

CISA’s Known Exploited Vulnerabilities Catalog was established as a living document to spotlight vulnerabilities with verified active exploitation in the wild, enabling organizations to target their cybersecurity efforts on the most urgent threats. The catalog originated under the Presidential Binding Operational Directive 22-01, which requires federal agencies to remediate cataloged vulnerabilities within strict timelines (usually two weeks).

Beyond federal mandates, the KEV Catalog has become an essential resource for private sector organizations, critical infrastructure providers, and cybersecurity practitioners worldwide. It functions as a tactical guide, helping organizations reduce risk by focusing their patch management on vulnerabilities already leveraged by adversaries, rather than theoretical or unexploited flaws.

Newly Added Vulnerabilities: Technical Details and Risks

1. CVE-2024-38475: Apache HTTP Server Improper Output Escaping Vulnerability

  • Description: This vulnerability arises from improper escaping of output in the Apache HTTP Server, one of the most widely deployed web servers globally.
  • Technical Impact: Attackers can craft malicious input that, due to improper output escaping, may lead to arbitrary code execution, data leakage, or cross-site scripting (XSS) attacks depending on server configuration.
  • Exploit Status: Multiple threat intelligence reports confirm active, opportunistic scanning and exploitation shortly after public disclosure.
  • Implications: Given Apache HTTP Server’s critical role in hosting websites and applications, exploitation could compromise sensitive user data, disrupt services, or allow attackers to infiltrate deeper into organizational networks.

2. CVE-2023-44221: OS Command Injection in SonicWall SMA100 Appliances

  • Description: This vulnerability allows remote unauthenticated attackers to execute arbitrary OS commands through specially crafted requests in the web management interface of SonicWall SMA100 series appliances.
  • Technical Impact: Exploiting this vulnerability can lead to full system compromise, eavesdropping on network traffic, manipulation of data flows, or use of the device as a launchpad for further attacks.
  • Exploit Status: Active exploitation has been confirmed by CISA and threat intelligence feeds.
  • Implications: As SonicWall SMA100 appliances are widely used for secure remote access, this vulnerability poses significant risk to enterprise and critical infrastructure networks if unpatched.

Implications and Broader Impact

The addition of these vulnerabilities to the KEV Catalog reflects increasing adversarial sophistication and the heightened risks organizations face in an interconnected environment. Key implications include:

  • Expanding Attack Surface: Both open-source and proprietary critical components are targets, illustrating that no platform or sector is immune.
  • Cross-Sector Risk: Organizations from government agencies to private enterprises rely on affected software and hardware, raising the stakes of timely remediation.
  • Confirmations of Real-World Impact: Historical data shows that once vulnerabilities appear in the KEV Catalog, they are often quickly weaponized in ransomware, espionage, or disruption campaigns.
  • Supply Chain and Infrastructure Risks: Compromise in widely deployed infrastructure software or appliances can cascade through supply chains, amplifying impact.

Recommended Actions for Organizations

  1. Immediate Patch Deployment: Organizations should prioritize patching the affected Apache HTTP Server versions and SonicWall SMA100 appliances using vendor-provided updates without delay.
  2. Inventory and Risk Assessment: Maintain up-to-date inventories of all internet-facing and internal-facing assets to detect vulnerable instances.
  3. Integrated Patch Management: Embed KEV Catalog monitoring into existing vulnerability management frameworks, triaging accordingly.
  4. Compensating Controls: Where patching is temporarily not feasible, implement network segmentation, restrict management interface access, enforce strong authentication, and increase logging and anomaly detection.
  5. Continuous Monitoring: Deploy intrusion detection and threat intelligence feeds to detect potential exploit attempts.
  6. User Awareness Training: Engage IT and security teams on the urgency and provide guidelines for proactive mitigation.

Conclusion

The recent update to CISA’s KEV Catalog acts as a clarion call for organizations to double down on cybersecurity hygiene and patch management. The presence of critical vulnerabilities with active exploitation—especially in ubiquitous technologies like Apache HTTP Server and network security appliances—means the risk of compromise is immediate and real. Organizations must adopt an evidence-driven, proactive remediation approach that aligns with CISA’s guidance and broader cybersecurity best practices.

Failure to act swiftly can lead to severe consequences, including data breaches, business disruption, and cascading infrastructure failures. As CISA reminds us, patching known exploited vulnerabilities is foundational to any robust cyber defense strategy.

References and Further Reading