CISA Adds Apple and TP-Link Vulnerabilities to KEV Catalog

On June 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding two high-risk vulnerabilities — one affecting Apple devices and the other targeting TP-Link routers. These additions signify active exploitation in the wild, making immediate remediation a top priority, particularly for federal agencies bound by Binding Operational Directive (BOD) 22-01.

1. CVE-2025-43200 – Apple Ecosystem Zero-Click Exploit

⚠️ Vulnerability Summary:

• CVE ID: CVE-2025-43200
• Impact: Memory corruption leading to remote code execution (RCE)
• Affected Platforms:
  • iOS, iPadOS
  • macOS
  • watchOS
  • visionOS

🛠️ How It Works:

This is a zero-click vulnerability—meaning the victim doesn’t have to interact with the payload. Attackers exploit flaws in how Apple devices process malicious photos or videos shared via iCloud Links. These media files can be weaponized to execute arbitrary code, enabling full device takeover.

🎯 Real-World Exploitation:

• Threat actors, including state-sponsored groups, have exploited this vulnerability to deploy spyware like Paragon’s Graphite via apps such as iMessage.
• The attack chain is stealthy and persistent, often bypassing user detection and traditional security tools.

🛡️ Mitigation Guidance:

• Apple released fixes across its ecosystem (e.g., iOS 18.3.1 in February 2025).
• Action required: Update all Apple devices to the latest firmware.
• CISA compliance deadline: July 7, 2025 (for federal agencies).

2. CVE-2023-33538 – TP-Link Routers Command Injection

⚠️ Vulnerability Summary:

• CVE ID: CVE-2023-33538
• Impact: Remote command injection leading to unauthorized access or full compromise
• Affected Models:
  • TP-Link TL-WR940N (Versions V2, V4)
  • TL-WR841N (Versions V8, V10)
  • TL-WR740N (Versions V1, V2)

🛠️ How It Works:

The vulnerability lies in the web management interface at the path /userRpm/WlanNetworkRpm. Unsanitized input allows attackers to inject system commands via crafted HTTP requests. Once successful, this enables remote code execution, which can be chained to deploy malware, create backdoors, or enslave devices into botnets.

🎯 Real-World Exploitation:

• Observed in wild for botnet recruitment (e.g., Mirai variants) and network pivoting attacks.
• Often used in automated internet-wide scans that seek vulnerable TP-Link devices with exposed admin panels.

🛡️ Mitigation Guidance:

• Patch Availability: Varies by model; TP-Link may not support older hardware.
• Action required:
  • Apply the latest firmware update if available.
  • If unsupported: discontinue use and replace the hardware.
• CISA compliance deadline: July 7, 2025

✅ Action Plan for Security Teams

Affected Vendor Key Actions Deadline Apple Update all iPhones, iPads, Macs, Apple Watches, and Vision Pro devices to latest security patches July 7, 2025 TP-Link Update firmware or replace outdated router models. Disable remote web access if possible July 7, 2025

🔐 Final Thoughts

These additions to CISA’s KEV list are not speculative—they reflect confirmed, real-world attacks. Apple’s zero-click exploit represents a severe risk to privacy and national security, while the TP-Link router flaw leaves homes and small businesses exposed to botnets and espionage.

Ignoring these threats can result in:

• Unauthorized surveillance
• Persistent network access by adversaries
• Involvement in criminal botnets
• Violation of regulatory mandates (especially for federal entities)

Security teams must prioritize these vulnerabilities immediately to ensure full compliance and prevent compromise.