Overview
CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalog on March 20, 2026, with a remediation due date of April 3, 2026 for all entries. The batch spans three Apple ecosystem flaws, one critical Craft CMS remote code execution vulnerability, and one Laravel Livewire code injection flaw — with notable Iranian threat actor attribution on the Laravel entry. All five confirm active exploitation in the wild and trigger mandatory remediation obligations under BOD 22-01 for FCEB agencies.
The Five CVEs — Technical Breakdown
CVE-2025-31277 — Apple Multiple Products Buffer Overflow (CVSS 8.8 / High)
CVE-2025-31277 is a buffer overflow vulnerability affecting Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS, where processing maliciously crafted web content may lead to memory corruption. The issue was fixed in Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, and macOS Sequoia 15.6.
The web content delivery vector is what makes this operationally dangerous at scale. No installation, no elevated privileges — a malicious web page is sufficient to trigger the memory corruption primitive. In a threat model context, this is the kind of flaw that commercial surveillance vendors and nation-state actors weaponize first: low interaction requirement, broad device surface, and kernel-adjacent memory corruption as the downstream outcome.
CVE-2025-43510 — Apple Multiple Products Improper Locking (CWE-667)
CVE-2025-43510 affects Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS, and contains an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes.
Inter-process memory tampering via locking failures is a well-understood privilege escalation vector. A malicious app — whether sideloaded, delivered via phishing, or masquerading as a legitimate app store listing — can exploit race conditions in shared memory regions to elevate privileges or corrupt adjacent process data. The breadth of affected platforms (every major Apple OS) means this is not an edge-case scenario but a systemic exposure across the entire Apple device fleet.
CVE-2025-43520 — Apple Multiple Products Classic Buffer Overflow (Kernel Write)
CVE-2025-43520 affects Apple watchOS, iOS, iPadOS, macOS, visionOS, tvOS, and iPadOS, and contains a classic buffer overflow vulnerability that could allow a malicious application to cause unexpected system termination or write kernel memory.
Kernel memory write capability is the highest-value primitive in iOS/macOS exploitation. Once an attacker can write arbitrary data to kernel memory, all user-space security controls — sandboxing, SIP, entitlement enforcement — become ineffective. This is the class of vulnerability that underpins persistent implant installation, the kind seen in Pegasus-grade spyware deployments. The combination of CVE-2025-43510 (inter-process memory tampering) and CVE-2025-43520 (kernel write) suggests a potential two-stage privilege escalation chain within the Apple ecosystem.
CVE-2025-32432 — Craft CMS Code Injection / Remote Code Execution (CVSS 10.0 / Critical)
CVE-2025-32432 is a code injection vulnerability in Craft CMS that allows a remote attacker to execute arbitrary code, with a CVSS score of 10.0. The vulnerability affects versions 3.0.0-RC1 through 3.9.15, 4.0.0-RC1 through 4.14.15, and 5.0.0-RC1 through 5.6.17, and has been patched in versions 3.9.15, 4.14.15, and 5.6.17.
CVE-2025-32432 resides in a built-in image transformation feature. An unauthenticated user can send a POST request to the endpoint responsible for image transformation and the data within the POST is interpreted by the server. For the exploit to function across all Craft CMS versions, the threat actor needs to find a valid asset ID.
The real-world exploitation picture is sobering. As of April 18, 2025, an estimated 13,000 vulnerable Craft CMS instances were identified, out of which nearly 300 were allegedly compromised. The attack chain documented by Orange Cyberdefense’s SensePost team shows threat actors chaining CVE-2025-32432 with CVE-2024-58136 (a Yii framework input validation flaw) — uploading a PHP file manager to the target system, renaming it to blend in as a legitimate file, and using it as a persistent backdoor from which to exfiltrate data.
If suspicious POST requests to the actions/assets/generate-transform endpoint are found in firewall or web server logs with the string __class in the body, the site has at least been scanned for this vulnerability — though this is not confirmation of compromise, only of probing activity.
CVE-2025-54068 — Laravel Livewire Code Injection / Remote Command Execution (CVSS 9.2 / Critical)
CVE-2025-54068 is a code injection vulnerability in Laravel Livewire that could allow unauthenticated attackers to achieve remote command execution in specific scenarios, with a due date of April 3, 2026.
The vulnerability affects Livewire versions from 3.0.0-beta.1 up to 3.6.3, and stems from how certain component property updates are hydrated. During the hydration process — which synchronizes client-side state with server-side properties on each request — a specially crafted update payload can bypass validation and sanitization steps, causing the framework to interpret untrusted input as executable code.
The Iranian threat actor attribution is the intelligence standout here. CISA’s KEV notes reference a ThreatHunter.ai blog post documenting Iranian threat actor tools, techniques, and IOCs as the source linking CVE-2025-54068 to active exploitation. This moves the Laravel Livewire flaw out of opportunistic criminal exploitation territory and into the nation-state threat model — specifically relevant for organizations in sectors targeted by Iranian APT groups including defence, energy, financial services, and government.
The Exploitation Intelligence Thread
What makes this March 20 batch analytically significant is the multi-layer attack surface it represents across a very common enterprise web and mobile stack:
The three Apple CVEs (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) form a potential progression — browser-based memory corruption for initial access, inter-process memory tampering for privilege escalation, and kernel memory write for persistent implant installation. This is not coincidental clustering; Apple-platform exploitation chains consistently follow this progression.
The Craft CMS and Laravel Livewire flaws (CVE-2025-32432, CVE-2025-54068) target the web application tier, with unauthenticated RCE as the shared characteristic. Organizations running both in the same environment — not uncommon for digital agencies, e-commerce platforms, and corporate marketing infrastructure — face a compounded exposure where web server compromise can be achieved without any credential access whatsoever.
The Iranian attribution on CVE-2025-54068 combined with the sophisticated targeted-attack language on the Apple CVEs points toward a threat landscape where advanced actors are specifically hunting these unauthenticated and low-interaction primitives for initial access into high-value environments.
Governance and Compliance Context
All five entries carry an April 3, 2026 remediation deadline under BOD 22-01 for FCEB agencies. For private sector organizations, the KEV confirmation creates implicit obligations under NIST CSF ID.RA-1 (asset vulnerability identification) and RS.MI-3 (newly identified vulnerabilities are mitigated). Cyber insurance carriers increasingly audit KEV patch status as a condition of coverage and a factor in post-breach liability determinations.
Organizations with Craft CMS or Laravel Livewire in their web stack who have not patched should treat this as a Priority 1 incident response scenario — not a scheduled patch cycle item — given that unauthenticated RCE with CVSS 10.0 and Iranian nation-state exploitation confirmation leaves no room for deferred action.
Recommended Defensive Actions
For Apple device fleets: verify MDM telemetry confirms all managed endpoints running Safari 18.6, iOS/iPadOS 18.6, macOS Sequoia 15.6, watchOS 11.6, visionOS 2.6, and tvOS 18.6. BYOD devices not meeting minimum OS versions should be blocked from corporate resource access immediately.
For Craft CMS: upgrade to 3.9.15, 4.14.15, or 5.6.17 as appropriate. Conduct log review for POST requests to the actions/assets/generate-transform endpoint with __class in the body. If evidence of probing exists, assume potential compromise: refresh security keys, rotate database credentials, and force password resets for all users. Review all web server writable directories for unexpected PHP files — particularly any files that have been renamed to mimic legitimate framework filenames.
For Laravel Livewire: upgrade to version 3.6.4 or later. Audit component property hydration logic in custom implementations. Restrict outbound egress from web application servers as a compensating control. Given the Iranian threat actor link, organisations in high-risk sectors should conduct a full threat hunt for Livewire-adjacent IOCs referenced in the ThreatHunter.ai advisory.
Across all five: implement WAF rules targeting the specific exploitation signatures, enable anomaly detection on outbound requests from web servers, and add KEV-specific alerting to your vulnerability management workflow to ensure future additions are actioned within 72 hours rather than on a standard patch cycle.
Conclusion
The March 20, 2026 KEV batch is a practitioner-grade signal that advanced threat actors — including Iranian state-linked groups — are actively weaponizing vulnerabilities across the Apple device ecosystem and the PHP web application stack. Two unauthenticated, critical-severity RCE flaws in widely deployed open-source platforms, combined with three Apple OS flaws spanning browser memory corruption to kernel write primitives, represent a complete attack surface from endpoint to web server. The remediation clock is running. Patch, hunt, and audit — in that order.
