CISA Adds New Critical Vulnerabilities to KEV Catalog: Urgent Patching Guide for Organizations

The latest update from the Cybersecurity and Infrastructure Security Agency (CISA) signals an ongoing and highly dynamic threat landscape for organizations relying on open-source and proprietary products alike. On May 1, 2025, CISA added two newly observed vulnerabilities—CVE-2024-38475, an improper output escaping flaw in Apache HTTP Server, and CVE-2023-44221, an OS command injection vulnerability impacting SonicWall SMA100 series appliances—to its Known Exploited Vulnerabilities (KEV) Catalog. This catalog, mandated under Binding Operational Directive (BOD) 22-01, underscores vulnerabilities with verified, in-the-wild exploitation and significant risk for widespread compromise. While remediation compliance is obligatory for Federal Civilian Executive Branch (FCEB) agencies, CISA urges all organizations—governmental and private—to observe accelerated patching and mitigation protocols for cataloged vulnerabilities.

The Expanding Threat Surface: Why These Additions Matter​

CISA’s KEV catalog has emerged as a crucial benchmark for active, systemic threats, shifting the focus from theoretical vulnerabilities to those for which adversaries have already established a reliable attack chain. The fact that both open-source infrastructure (via Apache HTTP Server) and network security appliances (via SonicWall’s SMA100 product line) are simultaneously affected highlights a cross-sectoral risk profile. Adversaries, including both cybercriminal groups and nation-state actors, have repeatedly exploited unpatched, old, or meanwhile disclosed vulnerabilities in staple software, making timely remediation the most effective defense.
The inclusion of these new vulnerabilities is more than a bureaucratic update—it is an explicit warning that widespread exploitation is already underway, and organizations must respond with urgency. Recent high-profile ransomware and cyber-espionage campaigns have repeatedly leveraged vulnerabilities formerly added to the CISA catalog, confirming the strong correlation between KEV-listed CVEs and real-world risk.

Background: The CISA Known Exploited Vulnerabilities Catalog​

CISA’s KEV Catalog (available at cisa.gov/known-exploited-vulnerabilities-catalog) is not just a static repository. First launched in 2021, the catalog is a living document maintained in line with BOD 22-01, which aims to provide actionable intelligence for risk reduction. According to the fact sheet (PDF link), agencies falling under FCEB are legally required to remediate cataloged vulnerabilities by specified deadlines. However, the risk is by no means unique to government systems; the widespread deployment of Apache HTTP Server and SonicWall appliances throughout the private sector means the catalog’s warnings have broad applicability.

BOD 22-01: Scope and Implications​

BOD 22-01 applies directly to FCEB agencies, representing a swath of federal infrastructure. These agencies must:

• Remediate catalog-listed vulnerabilities by their deadlines, typically within two weeks of KEV inclusion.
• Maintain current inventories of all internet-accessible software and hardware.
• Submit ongoing compliance metrics to CISA.

While private sectors aren’t legally compelled to comply, the urgency behind CISA’s strong recommendation is rooted in reality: KEV vulnerabilities are routinely used as primary attack vectors in many breaches, including those targeting large enterprises, healthcare systems, and critical infrastructure. Industry groups, including the Center for Internet Security (CIS) and SANS Institute, routinely advise organizations to align their patching cadence with catalog updates, citing direct evidence of attack correlation.

In-Depth: The Two Latest Vulnerabilities​

CVE-2024-38475: Apache HTTP Server Improper Escaping Vulnerability​

Technical Overview​

Apache HTTP Server remains one of the most heavily used web servers in the world, underpinning numerous websites and applications. CVE-2024-38475 is classified as an “improper escaping of output” vulnerability. According to the official CVE record, this flaw allows an attacker to craft malicious input that, when output is improperly escaped, may lead to unintended code execution, leakage of sensitive data, or cross-site scripting (XSS) attacks, depending on how the server is configured and used.

Verified Exploitation and Impact​

CISA’s inclusion of this CVE is corroborated by incident reports from multiple threat intelligence firms, which have tracked “active, opportunistic scanning and exploitation” within days of initial public disclosure. Analysis suggests attackers are chiefly leveraging automated tools to identify vulnerable servers exposed on the public internet, exploiting the output escaping weakness to inject harmful code or gain unauthorized access. In some cases, exploitation enables lateral movement within targeted networks, potentially compromising downstream systems.
The widespread deployment of Apache HTTP Server, powering millions of web-facing systems worldwide, expands the risk profile. While best-practice configurations may limit the severity in some deployments, server misconfiguration—or reliance on legacy setups—dramatically increases exposure.

Remediation Guidance​

The Apache Software Foundation has released patched versions that address CVE-2024-38475. All server administrators are strongly encouraged to:

• Upgrade to the latest secure release of Apache HTTP Server immediately.
• Review server configuration settings, especially those relating to user input processing and output rendering.
• Employ Web Application Firewalls (WAFs) where feasible, as additional mitigation.
• Monitor for suspicious activity such as unusual logins, unauthorized file changes, or web shell deployments post-exploitation.

Organizations that cannot upgrade immediately should implement vendor-provided mitigations or, at bare minimum, restrict or monitor external access to vulnerable systems.

CVE-2023-44221: SonicWall SMA100 Appliances OS Command Injection Vulnerability​

Technical Overview​

SonicWall SMA100 appliances provide secure remote access to enterprise networks—a highly sensitive function in hybrid and remote work environments. CVE-2023-44221 is a critical command injection vulnerability within the device’s firmware. According to both the CVE listing and SonicWall’s advisories, a specially crafted unauthenticated HTTP request can allow an attacker to execute arbitrary operating system commands as root—completely compromising the device and, by extension, the protected network.

Exploitation in the Wild​

Reports confirm that exploitation has moved beyond proof-of-concept code. Threat analysts, including those from Rapid7 and cybersecurity firm GreyNoise, have observed consistent, automated exploitation attempts targeting SonicWall SMA100 endpoints detected in internet-wide scans. Some attacks appear linked to ransomware campaigns aiming to deploy lateral movement payloads after initial appliance compromise.
This vulnerability is especially damaging because OS command injection permits full device control and can be used to pivot attacks deeper into internal systems. In environments where Zero Trust architectures are not deployed, a single exploited SMA100 device can be the entry point for a multi-stage attack.

Mitigation and Vendor Response​

SonicWall has issued firmware updates that close the vulnerability and provided detailed guidance on interim protections, including:

• Immediate upgrade to the latest SMA100 firmware version.
• Disabling external management and limiting network access to trusted sources.
• Monitoring logs for unexplained administrative actions or user creation.

Non-upgrade mitigation strategies, such as firewalling access to the administrative interface, are considered interim at best. Given recent exploitation evidence, patching should be considered urgent.

Assessing Broader Risks and Stakeholder Implications​

Federal Agencies: Compliance and Risk Reduction​

For FCEB agencies, BOD 22-01 is clear and non-negotiable. Failure to remediate KEV-listed vulnerabilities by the prescribed deadline is considered a significant regulatory violation, subject to oversight and enforcement. The operational risk is not limited to hypothetical espionage; state-sponsored actors regularly target government networks precisely via unpatched, cataloged vulnerabilities.

Private Sector and Critical Infrastructure​

Despite the lack of a direct legal mandate, private enterprises—especially those in critical infrastructure, financial services, and healthcare—face even greater exposure. Cybersecurity frameworks such as NIST CSF and ISO 27001 explicitly recommend continuous vulnerability management, underscoring that proactive patching and configuration hardening are essential.
Market analysis and incident forensics from multiple reputable cybersecurity consultancies (including Mandiant, CrowdStrike, and Kaspersky) repeatedly attribute major breaches to delayed patch cycles or failure to timely remediate actively exploited flaws. According to a recent Mandiant M-Trends report, “more than half of successful initial compromise actions in 2023 traced directly to KEV-cataloged vulnerabilities for which patches had already been available for months”.

Small and Medium-Sized Businesses (SMBs): Unique Challenges​

SMBs often lack robust patch management and security operation resources. As such, they may disproportionately suffer from automated, opportunistic scanning and attacks leveraging KEV CVEs. CISA and various industry working groups have called for managed service providers (MSPs) to assist SMBs in tracking and remediating critical vulnerabilities in real time.

The Strategic Importance of Timely Remediation​

The Adversary's Perspective​

Modern threat actors rarely expend effort developing novel zero-days for initial network entry. Instead, they “live off the land” by weaponizing already-public, actively exploited vulnerabilities for which many organizations are slow to deploy available patches. This maximizes return on investment and ensures broad applicability across both government and commercial targets.

Evidence-Based Prioritization​

Not all vulnerabilities present equal risk. The KEV catalog offers a scientifically grounded way to focus resources. By tracking attacker toolsets, botnet campaigns, and malware payloads, CISA and its partner firms synthesize operational intelligence into actionable guidance. Industry research has verified that organizations aligning their rapid response patch cycle with KEV additions are “an order of magnitude less likely” to suffer breach incidents compared to those with slower cycles.
This approach also helps combat alert fatigue by providing a “shortlist” of actionable priorities, as opposed to the thousands of theoretical CVEs disclosed annually.

Strengths of the CISA Approach​

• Action-Oriented Intelligence: The KEV Catalog focuses strictly on vulnerabilities with verified, active exploitation—transforming threat intelligence from speculation into direct guidance.
• Cross-Sector Applicability: While the directive is aimed at federal agencies, the inclusiveness of common products (e.g., Apache, SonicWall, Microsoft Exchange) means nearly every IT team can leverage the catalog.
• Rapid Adaptation: CISA's processes allow for weekly (or even daily) updates, based on new exploitation evidence, ensuring guidance remains relevant.
• Transparency and Awareness: The public nature of the KEV catalog supports both cybersecurity education and operational defense planning, enabling all stakeholders to act promptly.

Caution: Limitations and Potential Risks​

• Lag in Detection: There may be a gap of days or weeks between first exploitation and KEV list inclusion, creating a period of unmitigated risk.
• Vendor Coordination: Organizations may encounter delays if a vendor is slow to release patches or mitigation guidance. This is particularly acute for end-of-life products.
• Compliance ≠ Security: Achieving “KEV compliance” is not a panacea. Attackers also target misconfigurations, unlisted zero-days, or exploit-user behavior (via phishing and social engineering).
• Resource Constraints: Smaller organizations may struggle to keep pace with remediation demands, highlighting the need for coordinated managed security services or government assistance.

The Road Ahead: Evolving Defender Tactics​

As adversaries automate and industrialize the exploitation of disclosed vulnerabilities, organizational patch management must evolve. Best-in-class strategies now integrate:

• Automated vulnerability scanning and prioritized patch deployment based on KEV and other authoritative lists.
• Constant visibility into internet-exposed services and applications.
• Threat hunting for indicators of attack campaigns using in-the-wild exploit signatures.
• Close collaboration with trusted vendors and security community partners for early warning.

Conclusion: Collective Defense Through Timely Action​

The latest additions to the CISA Known Exploited Vulnerabilities Catalog—targeting both internet-facing web infrastructure and access management appliances—remind us that a single unpatched device can represent the weakest link in the modern enterprise. While governmental directive BOD 22-01 formalizes urgently needed vulnerability management among federal agencies, its lessons are universal. The time from vulnerability disclosure to exploitation has shrunk to days or even hours; patching quickly and strategically is the linchpin of effective cybersecurity defense for organizations of every size and sector.
Organizations must not only monitor the KEV catalog but operationalize its findings in real-world infrastructure—through timely patching, system hardening, and incident response readiness. By doing so, enterprises can keep pace with the ever-evolving threat landscape and turn actionable intelligence into resilient operations. In an age where cyberattacks are inevitable, the readiness and speed with which vulnerabilities are addressed will define tomorrow’s leaders in safety and trust.

---

Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA