In a critical update for network defenders and security professionals, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added three significant vulnerabilities—CVE-2020-24363, CVE-2025-55177, and CVE-2025-57819—to its Known Exploited Vulnerabilities (KEV) catalog. This move underscores the high risk and active exploitation observed in the wild, requiring organizations to take urgent patching and mitigation actions to defend against real-world attacks.
CVE-2020-24363: TP-Link TL-WA855RE Critical Authentication Flaw
CVE-2020-24363 impacts TP-Link’s TL-WA855RE Wi-Fi extender (V5 and specific firmware versions). The flaw allows an unauthenticated attacker on the local network to trigger a factory reset of the device by sending a specially crafted request. Once reset, the device reverts to default credentials, giving the attacker complete administrative control and the ability to hijack network traffic or launch further attacks. This vulnerability is highly critical because it bypasses all authentication and is trivial to exploit with basic network access.
CVE-2025-55177: WhatsApp’s Zero-Click iOS & Mac Attack
CVE-2025-55177 affects Meta’s WhatsApp, specifically targeting iOS and macOS versions prior to 2.25.21.73 (for iOS) and 2.25.21.78 (for Mac and Business). The vulnerability arises from incomplete authorization checks on linked device synchronization messages. Attackers exploited this in zero-click attacks: no user action, such as tapping a message, was required for compromise.
Reports show the bug was exploited in combination with an Apple zero-day (CVE-2025-43300) to deliver sophisticated spyware, targeting fewer than 200 individuals—including civil society and human rights defenders. Meta and Apple both issued emergency patches, but successful attacks were observed within the last 90 days. Targeted users received direct notifications from WhatsApp, and all users are urged to update their apps and devices immediately.
CVE-2025-57819: Sangoma FreePBX Authentication Bypass
CVE-2025-57819 targets the Sangoma FreePBX platform, a widely used open-source telephone system. Security researchers documented exploits that allow unauthorized attackers to bypass authentication controls, potentially taking over voice infrastructure or eavesdropping on calls. This vulnerability has also been observed in the field and is now subject to mandatory patching timelines for U.S. federal agencies and strongly recommended for all organizations operating FreePBX environments.
What does CISA KEV inclusion mean?
The addition of these vulnerabilities to the KEV catalog means they are being actively exploited by threat actors, making them top priorities for remediation across both public and private sectors. CISA’s KEV catalog acts as an authoritative source for vulnerabilities requiring immediate attention, and entities bound by the Binding Operational Directive 22-01 must implement mitigations within specific, often short, deadlines to remain compliant.
Conclusion
CVE-2020-24363, CVE-2025-55177, and CVE-2025-57819 represent urgent security concerns with proof of exploitation and high impact on affected environments. Organizations should immediately check for exposure, apply vendor patches, and review CISA’s KEV catalog regularly for ongoing updates and deadlines. Zero-click attacks and authentication bypasses underscore the importance of proactive monitoring and rapid response.
Stay vigilant, update software, and prioritize these vulnerabilities to minimize your attack surface and defend against modern threats.
