CISA KEV Catalog Update Part V – March 2025

The Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities in Juniper Networks’ Junos OS and Apple products to its Known Exploited Vulnerabilities (KEV) Catalog, signaling their active exploitation in real-world cyberattacks. This catalog highlights vulnerabilities known to be actively targeted by malicious actors, urging organizations to prioritize patching to mitigate the associated risks.

Juniper Networks’ Junos OS Vulnerabilities

Key Vulnerability: CVE-2025-21590

• Type: Improper Isolation or Compartmentalization.
• Affected Component: Junos OS Kernel.
• Description:
• This vulnerability stems from a flaw in the isolation mechanisms within the kernel of Junos OS, the operating system that powers many of Juniper Networks’ enterprise network devices.
• Attackers with high privileges can exploit this vulnerability to compromise the device’s integrity and execute arbitrary code.
• Exploitation Evidence:
• The vulnerability has been actively exploited by advanced persistent threat (APT) groups, notably UNC3886, a group with demonstrated expertise in Junos OS internals.
• Attackers have used compromised credentials to access the Junos OS Command Line Interface (CLI), escalate to the FreeBSD shell (used by Junos OS), and inject malicious code into trusted processes.
• Exploitation has included tampering with logs and forensic evidence, allowing attackers to maintain stealth and persistence on compromised devices.
• Impact:
• Device Takeover: Attackers can gain complete control of Junos OS network devices, giving them the ability to modify configurations, disrupt network operations, and monitor traffic.
• Infrastructure Risk: Since Junos OS is widely used in critical infrastructure, this vulnerability poses a severe risk to industries such as telecommunications, finance, and government.
• Operational Disruption: Exploited devices may introduce vulnerabilities into broader network environments, creating pathways for further attacks.

Mitigation Strategies for Junos OS Vulnerabilities:

Patch Deployment:

• Apply the latest updates and security patches provided by Juniper Networks to address CVE-2025-21590. Refer to the Juniper Security Advisory (JSA93446) for patching details and recommendations.

Access Control Enhancements:

• Restrict access to the Junos OS CLI and administrative interfaces to trusted and authorized personnel.
• Enforce multi-factor authentication (MFA) for all privileged accounts.

Network Monitoring:

• Deploy advanced monitoring tools to detect unusual activity or unauthorized access attempts on Junos OS devices.
• Audit system logs regularly to identify potential tampering or other signs of compromise.

Segmentation:

• Isolate critical network devices running Junos OS in their own segments, reducing the risk of lateral movement by attackers.

Apple Vulnerabilities

Key Vulnerability: CVE-2025-24201

• Type: Out-of-Bounds Write.
• Affected Component: WebKit (the browser engine used by Safari and other Apple applications).
• Description:
  • This vulnerability allows attackers to craft malicious web content that bypasses Web Content sandbox protections. Exploitation can lead to remote code execution (RCE), enabling attackers to execute arbitrary code on a victim’s device.
  • Attackers typically deliver the exploit via malicious websites or links embedded in phishing emails or messages.
• Affected Apple Products:
• iPhones: iPhone XS and newer models.
• iPads: iPad 7th generation and later, iPad Air 3rd generation and later, iPad mini 5th generation and later, and all iPad Pro models.
• Mac Computers: Devices running macOS Sequoia.
• Apple Vision Pro: Devices powered by visionOS.
• Exploitation Evidence:
  • This vulnerability has been actively exploited in targeted attacks against high-profile individuals and organizations, likely as part of advanced persistent threat (APT) campaigns.
  • Attackers have leveraged this flaw to gain access to sensitive data, execute malicious payloads, and infiltrate enterprise networks through compromised devices.
• Impact:
  • Device Takeover: Exploitation allows attackers to gain full control of affected devices, bypassing user permissions.
  • Data Theft: Sensitive user data, such as credentials, private communications, and proprietary files, can be exfiltrated.
  • System Compromise: Exploited devices can be used as launching points for further attacks on connected networks.

Mitigation Strategies for Apple Vulnerabilities:

Update Apple Devices:

• Install the latest software updates released by Apple to address CVE-2025-24201:
  • iOS 18.3.2 and iPadOS 18.3.2.
  • macOS Sequoia 15.3.2.
  • visionOS 2.3.2.
  • Safari 18.3.1.
• Navigate to Settings > General > Software Update (for iPhones and iPads) or System Preferences > Software Update (for Macs) to install these patches.

Enhance Safe Browsing Practices:

• Avoid visiting suspicious or untrusted websites.
• Be cautious of clicking on links from unknown sources, especially those sent via email or text messages.

Monitor Devices:

• Use endpoint security solutions to detect unusual activity or unauthorized changes to device configurations.
• Regularly review browsing activity and network logs for signs of exploitation attempts targeting WebKit vulnerabilities.

CISA’s KEV Catalog: Implications

The inclusion of these vulnerabilities in the Known Exploited Vulnerabilities (KEV) Catalog carries significant implications:

• Active Exploitation: The catalog confirms these vulnerabilities are actively being used by malicious actors in real-world attacks, emphasizing the urgency of remediation.
• Mandatory Action for Federal Agencies: Under Binding Operational Directive (BOD) 22-01, federal agencies are required to remediate these vulnerabilities by the specified deadlines. Failure to comply could leave organizations exposed to cyberattacks.
• Broader Industry Impacts: CISA strongly recommends that all organizations, not just federal entities, prioritize patching these vulnerabilities to protect against exploitation.

Recommendations for Organizations

Proactively Patch and Secure Systems:

• Deploy all recommended patches for both Junos OS and Apple devices without delay.
• Regularly review vendor advisories for updates on additional vulnerabilities or workarounds.

Strengthen Access Controls:

• Implement strict access controls for administrative interfaces on network devices and Apple systems.
• Require multi-factor authentication (MFA) for all privileged accounts.

Enhance Network and Endpoint Monitoring:

• Use Security Information and Event Management (SIEM) tools to track potential Indicators of Compromise (IoCs).
• Monitor devices and network traffic for anomalies or unauthorized connections to devices running vulnerable software.

Educate Users and Administrators:

• Conduct awareness training on identifying phishing attempts and avoiding suspicious web links.
• Train IT teams on secure device management practices to reduce risks from misconfigurations.

Adopt Cyber Hygiene Practices:

• Regularly rotate critical credentials, especially for network devices.
• Perform periodic vulnerability assessments to identify and address security gaps.

Final Thoughts

The addition of Juniper Networks’ Junos OS vulnerabilities and Apple’s WebKit flaws to CISA’s KEV catalog highlights the critical need for organizations to remain vigilant against actively exploited vulnerabilities. These security gaps, if left unaddressed, could lead to widespread data breaches, operational disruptions, and heightened risks to critical infrastructure.

Proactively applying patches, enhancing access controls, and implementing comprehensive monitoring strategies are essential steps in mitigating these risks. Organizations that act swiftly to address these vulnerabilities will significantly improve their resilience to cyber threats.