CISA KEV Catalog Update Part VII – March 2025

---

CISA’s add vulnerabilities related to Sitecore CMS and Reviewdog GitHub Actions to its Known Exploited Vulnerabilities (KEV) catalog

1. Sitecore CMS Vulnerabilities

CISA has identified critical vulnerabilities in the widely-used Sitecore Content Management System (CMS). These vulnerabilities, attributed to unsafe deserialization within the Sitecore.Security.AntiCSRF module, highlight a significant security flaw in how the module handles Cross-Site Request Forgery (CSRF) protections.

• CVE-2019-9874:
• Nature of the Vulnerability: This is a critical deserialization flaw, enabling unauthenticated attackers to inject and execute arbitrary code within the application.
• Attack Vector: By crafting maliciously serialized objects, attackers can exploit the deserialization process in the AntiCSRF module, circumventing standard CSRF protections and gaining control over the application’s functionality.
• Impact: This vulnerability allows unauthenticated users to compromise Sitecore instances completely, posing a significant risk to organizations using vulnerable versions.
• Mitigation: Organizations are urged to upgrade to the latest secure versions of Sitecore CMS to eliminate this vulnerability. They should also ensure robust input validation mechanisms are in place.
• CVE-2019-9875:
• Nature of the Vulnerability: Similar to CVE-2019-9874, this vulnerability involves unsafe deserialization but requires authentication to exploit.
• Attack Vector: Authenticated attackers can manipulate serialized data within user sessions to execute arbitrary code remotely.
• Impact: While authentication serves as a barrier, exploiting this flaw can still lead to complete control over the server, elevating user privileges and jeopardizing sensitive data.
• Mitigation: The same patching and upgrade strategies apply. Administrators should also reassess and strengthen session management policies.

CISA has mandated federal agencies to address these vulnerabilities and implement necessary patches by April 16, 2025, under the directives of the Binding Operational Directive (BOD) 22-01. Private organizations should likewise prioritize patching, as these flaws present significant risks to web applications and business-critical workflows.

2. Reviewdog GitHub Action Vulnerability

The second entry in CISA’s KEV catalog is associated with Reviewdog, a popular tool used for automated code reviews across development pipelines. Reviewdog integrates seamlessly with GitHub Actions, offering features like inline commenting and quality assurance checks during CI/CD workflows. However, the compromised version has exposed organizations to serious threats.

• CVE-2025-30154:
• Nature of the Vulnerability: This vulnerability stems from a supply chain compromise in the reviewdog/action-setup@v1 GitHub Action. Malicious code was injected into the compromised version, enabling attackers to exploit the CI/CD process.
• Attack Vector: Attackers were able to manipulate the Action’s scripts to extract sensitive secrets such as API tokens, AWS keys, and even private RSA keys. These credentials are often stored within CI/CD pipelines to automate deployments and integrate with external services.
• Impact: The compromise not only threatens the integrity of development pipelines but also opens avenues for larger-scale attacks on an organization’s infrastructure, including lateral movement and data exfiltration.
• Mitigation:
  • Developers must validate the integrity of third-party Actions before use.
  • Organizations should enforce strict key rotation policies and store credentials securely using tools like AWS Secrets Manager or Azure Key Vault.
  • It is crucial to update to the clean versions of Reviewdog and continuously monitor third-party dependencies.

This vulnerability underscores the growing threat posed by supply chain attacks, particularly within DevOps environments, where continuous integration relies on the security of external modules and tools. Developers and security teams must adopt a Zero Trust approach and conduct periodic audits of pipeline configurations.

Broader Implications

The inclusion of these vulnerabilities in CISA’s KEV catalog serves as a stark reminder of the evolving threat landscape. Attackers are increasingly targeting both commercial off-the-shelf software (COTS) like Sitecore and developer-centric tools like GitHub Actions. These incidents highlight the critical need for:

Proactive Vulnerability Management:

• Continuous monitoring of sources like CISA’s KEV catalog to stay updated on known threats.
• Prioritization of patching in alignment with exploit likelihood and organizational impact.

Supply Chain Security:

• Implementing SBOMs (Software Bill of Materials) to enhance visibility into software dependencies.
• Verifying and securing third-party integrations.

Compliance with Standards:

• Federal agencies are already required to comply with CISA’s timelines for remediation.
• Private-sector entities are encouraged to adopt similar frameworks to bolster security postures.