CISA has added two high‑impact vulnerabilities—CVE‑2025‑14174 in Google Chromium and CVE‑2018‑4063 in Sierra Wireless AirLink ALEOS—to the Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. Under Binding Operational Directive (BOD) 22‑01, Federal Civilian Executive Branch agencies must remediate both by January 2, 2026, while CISA “strongly encourages” all organizations to prioritize them in their patch pipelines.
These two CVEs span very different layers of the stack—a browser graphics engine and industrial/edge gateway firmware—but share a common theme: remotely exploitable flaws being actively abused, with the KEV flag turning them into mandatory patch candidates rather than “patch when convenient” issues.
CVE-2025-14174: Google Chromium ANGLE out-of-bounds
CVE‑2025‑14174 is a high‑severity out‑of‑bounds memory access vulnerability in ANGLE (Almost Native Graphics Layer Engine), the graphics abstraction layer used by Chromium‑based browsers like Google Chrome and Microsoft Edge.The flaw arises from improper buffer sizing in ANGLE’s Metal renderer, where buffer size calculations based on image parameters can be smaller than the actual image height, enabling out‑of‑bounds memory access when processing crafted web content.
Google assigned CVE‑2025‑14174 a CVSS score of 8.8 and acknowledged that exploits already exist in the wild, crediting Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) for discovery.CISA’s KEV entry describes it as a remotely exploitable bug that allows out‑of‑bounds memory access via a crafted HTML page, which can lead to memory corruption, browser crashes, or, in a realistic worst case, arbitrary code execution in the browser context.
Affected versions and exposure
The vulnerability affects Google Chrome on macOS prior to version 143.0.7499.110, with related fixes also applied to Windows and Linux builds in the same stable channel update 143.0.7499.109/110, and it propagates to other Chromium‑based browsers as they pull in the patched ANGLE code. Any environment that permits users to browse untrusted websites or open untrusted content in Chromium-based browsers is at risk if those browsers have not yet been updated to the patched versions.
Attackers can weaponize the bug using malicious web pages or embedded content that triggers ANGLE’s vulnerable code paths, making it suitable for targeted exploitation, drive‑by attacks, or as a component of a broader exploit chain.
Impact for defenders
For enterprise defenders, CVE‑2025‑14174 fits the pattern of “browser‑based initial access,” where user browsing activity leads to memory corruption and potential code execution on endpoints. In high‑value targets, this sort of bug is often chained with sandbox escapes or privilege escalation vulnerabilities to gain deeper persistence; the active exploitation note and KEV listing suggest it may already be part of sophisticated attack chains.
Systems at particular risk include unmanaged or rarely updated endpoints, VDI images with pinned browser builds, kiosk systems, and macOS fleets where browser patching may lag behind OS patch cycles.
Mitigation and hardening steps
From a practical standpoint, mitigation centers on eliminating vulnerable browser builds and reducing the attack surface they expose:
- Patch Chromium-based browsers:
- Update Chrome to at least 143.0.7499.109/.110 on Windows and macOS, and 143.0.7499.109 on Linux, and verify versions via enterprise tools or
About Chromechecks. - Track updates for Edge, Brave, and other Chromium forks as they incorporate the fixed ANGLE library, and enforce automatic updates via GPO/MDM where possible.
- Tighten browsing risk controls:
- Enforce URL filtering, Safe Browsing/SmartScreen, and isolation for high‑risk browsing categories (e.g., via browser isolation or remote rendering for untrusted sites).
- Use EDR rules and exploit protection features to monitor and block suspicious browser child processes, memory‑corruption patterns, and anomalous shell spawns.
- Inventory and KEV tracking:
- Use your software inventory or CSAM tooling to identify endpoints with outdated Chromium builds, tagging CVE‑2025‑14174 as a KEV‑driven high‑priority remediation item.
- Align internal SLAs with CISA’s January 2, 2026 deadline for FCEB agencies to avoid extended exposure windows.
CVE-2018-4063: Sierra Wireless AirLink ALEOS RCE
CVE‑2018‑4063 is a remote code execution vulnerability in Sierra Wireless AirLink ES450 gateways running ALEOS firmware 4.9.3, specifically in the upload.cgi functionality of the device’s web management interface. The flaw is classified as “unrestricted upload of file with dangerous type,” meaning a remote authenticated attacker can upload a malicious file that ends up being executable by the embedded web server, leading to full code execution on the device.
Research and advisories describe scenarios where a specially crafted HTTP request to upload.cgi allows an attacker to place an executable payload on the device and then route execution to it, effectively compromising the gateway’s OS. CISA lists the issue in KEV as affecting Sierra Wireless AirLink ALEOS deployments and notes active exploitation, which is particularly concerning because these gateways often sit at critical network edges—industrial sites, utilities, transportation, and remote branch locations.
Affected products and firmware scope
The original NVD entry focuses on AirLink ES450 running ALEOS 4.9.3, but Sierra Wireless advisories note that multiple AirLink gateway families running older ALEOS releases are affected by a set of related vulnerabilities reported by Cisco Talos, with remediations delivered in later ALEOS versions.ALEOS 4.9.x and earlier releases across ES450, GX450, and other models are flagged in vendor bulletins as requiring upgrades to fixed firmware lines such as ALEOS 4.9.9 and onward, and a separate bulletin indicates broader ALEOS issues remediated in 4.17 for newer models.
Organizations that still operate legacy AirLink hardware or have not updated ALEOS in several years are the most exposed, particularly when management interfaces are reachable from the internet or untrusted networks.
Exploitation and risk profile
Although CVE‑2018‑4063 requires authenticated access, real‑world exploitation paths include credential theft, password reuse, default credentials, or CSRF‑style tricks where an authenticated admin user is coerced into triggering malicious requests.Once exploited, attackers gain the ability to run arbitrary code on the gateway, which can be used to deploy webshells, pivot into internal networks, intercept or modify traffic, or integrate the device into a botnet or persistent access channel.
In OT and critical‑infrastructure environments, compromise of an AirLink gateway can expose SCADA networks, remote telemetry, or VPN‑bridged industrial segments, substantially raising the operational and safety impact of this KEV entry.
Mitigation and hardening steps
Mitigation for CVE‑2018‑4063 has two main components: firmware remediation and architectural hardening.
- Patch and lifecycle management:
- Upgrade affected AirLink ES450 (and related models) from vulnerable ALEOS versions (e.g., 4.9.3 and earlier impacted builds) to vendor‑recommended fixed releases such as ALEOS 4.9.9+ or later streams where the Talos‑reported vulnerabilities are addressed.
- For hardware that cannot be upgraded or is end‑of‑life, plan replacement and treat devices as high‑risk until they are fully removed from production networks.
- Reduce exposure of management plane:
- Disable direct internet exposure of ACEmanager and other HTTP/HTTPS management interfaces; place them behind VPNs or management networks accessible only from admin workstations.
- Enforce strong, unique credentials, multi‑factor authentication where possible, and avoid shared admin accounts to reduce the likelihood of authenticated exploitation.
- Monitoring and detection:
- Use IDS/IPS signatures from vendors such as Check Point and Fortinet that specifically detect attempts to exploit CVE‑2018‑4063 and related Aleos issues.
- Monitor logs for unusual configuration changes, unexpected file uploads, or anomalous outbound connections originating from gateways that could indicate compromise.
