{
"title": "CISA Warns: Patch Linux Kernel, Android, and Sitecore Now as Active Attacks Confirmed",
"content": "CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on September 4, 2025, spotlighting a Linux kernel race condition, an Android Runtime flaw, and a dangerous Sitecore deserialization bug. The move triggers urgent remediation deadlines for federal agencies under Binding Operational Directive (BOD) 22-01, but the implications ripple across the private sector, particularly for organizations managing hybrid Windows, Linux, and mobile environments.

The KEV Catalog: A Policy-Driven Mandate

CISA’s KEV Catalog translates threat intelligence into operational priority. Rather than drowning defenders in every CVE, it highlights those with confirmed active exploitation. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to patch these vulnerabilities within two weeks for recent flaws (2021 and later) and six months for older ones. Yet the directive’s impact extends beyond government networks. Attackers don’t discriminate per industry, and IT teams in healthcare, finance, and critical infrastructure often treat KEV entries as urgent patch triggers.

For Windows administrators, these three CVEs demand cross-team coordination. Even if a vulnerability doesn’t directly strike Windows, it can compromise backend Linux servers, Android-based mobile devices, or .NET web platforms like Sitecore. A compromised web server can spearhead lateral movement into Windows domain environments. Thus, KEV entries become incident response triggers across entire technology stacks.

CVE-2025-38352: Linux Kernel TOCTOU Race Condition

CVE-2025-38352 is a time-of-check time-of-use (TOCTOU) race condition in the Linux kernel’s POSIX CPU timers subsystem. The bug surfaces when an exiting task and a concurrent timer deletion clash, causing inconsistent internal state and potential privilege escalation or kernel panic. The upstream fix adds an extra exit-state check to prevent the race. According to NVD records, the vulnerability was identified and resolved in upstream kernel trees, but many distributions are still backporting the patch.

Why is this in the KEV? Active exploitation telemetry, likely from cloud or container platforms, has been observed. Attackers love kernel race conditions for local privilege escalation—once they gain a foothold, they can pivot to root and disable defenses. Linux kernels are foundational to countless servers, Android devices, and IoT systems, so the exposure surface is massive. For Windows admins running Linux-based load balancers, network appliances, or even WSL instances, the risk extends inside the perimeter.

Affected systems include any Linux distribution running an unpatched kernel within the vulnerable range, Android devices using that kernel, and container hosts where the host kernel is shared. Vendors like Red Hat, Ubuntu, and Google have released or are preparing backported fixes. Administrators must immediately apply kernel updates via their distribution’s package manager and schedule a reboot if necessary. Where patching must be delayed, restrict local access and deploy kernel hardening measures such as seccomp profiles or SELinux/AppArmor rules to mitigate exploitation attempts.

CVE-2025-48543: Android Runtime Elevation of Privilege

The second KEV entry, CVE-2025-48543, affects the Android Runtime (ART), the managed environment executing Java and Kotlin apps. Google has classified it as an elevation-of-privilege vulnerability, but technical details remain sparse at CISA’s direction. The Android Security Bulletin for September 2025 patches it, confirming active exploitation.

ART vulnerabilities are particularly dangerous because they can let a malicious app escape its sandbox. A malicious app—or a compromised legitimate one via an intent redirection—could hijack device functions, access sensitive data, or drop deeper payloads. For enterprises managing Android fleets, the attack vector could be a sideloaded app or a phishing email tricking a user into installing a trojanized application. The proliferation of Android devices in the enterprise, often integrated with Microsoft Intune and Azure AD, makes this a cross-platform priority.

Mitigation starts with updating devices to the 2025-09-05 or later security patch level. Organizations should use Mobile Device Management (MDM) to enforce updates and block installation from unknown sources. Also, monitor for unusual app behavior, such as unexpected permission requests or repeated crashes of system processes, which might