CISA Flags Actively Exploited Multi-Vendor Vulnerabilities in 2025
Executive Summary
In November 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added three newly discovered, actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-9242 (WatchGuard Firebox), CVE-2025-12480 (Gladinet Triofox), and CVE-2025-62215 (Microsoft Windows). Threat actors leveraged these vulnerabilities to gain unauthorized access, execute code, and move laterally within affected environments. Federal agencies were instructed, under Binding Operational Directive 22-01, to remediate these vulnerabilities by mandated deadlines due to their significant risk, while all organizations were strongly advised to prioritize swift patching and mitigation efforts to reduce potential impact.
The rising frequency and severity of multi-vendor vulnerabilities exploited in the wild underscores a persistent trend of opportunistic attacks targeting unpatched systems. Regulatory momentum and new compliance directives are pushing both public and private entities to accelerate vulnerability management and incident response, as attackers increasingly leverage these CVEs for ransomware, data exfiltration, and access brokering operations.
Why This Matters Now
These newly documented vulnerabilities are actively exploited in real-world attacks, putting both government and private sector organizations at immediate risk. Rapid remediation is critical, as attackers continuously scan for unpatched systems to gain access, propagate malware, and exfiltrate sensitive data.
Attack Path Analysis
Attackers exploited public-facing vulnerabilities in cloud-connected appliances to gain an initial foothold. After establishing access, they leveraged improper access controls or race conditions to escalate privileges within the environment. Using weak internal segmentation, adversaries conducted lateral movement to discover and access additional resources or workloads. To maintain persistence and control, they communicated through encrypted or evasive channels that bypassed basic perimeter defenses. Sensitive data was then exfiltrated via allowed outbound channels, potentially leveraging encrypted flows to evade detection. Finally, adversaries inflicted impact by disrupting services or deploying ransomware, amplifying the consequences of the breach.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited known vulnerabilities (e.g., WatchGuard Firebox, Gladinet Triofox, Windows race condition) in internet-exposed services to obtain initial unauthorized access to the target cloud environment.
Related CVEs
CVE-2025-9242
CVSS 9.3An out-of-bounds write vulnerability in WatchGuard Fireware OS allows remote unauthenticated attackers to execute arbitrary code.
Affected Products:
WatchGuard Fireware OS – 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, 2025.1
Exploit Status:
exploited in the wildCVE-2025-12480
CVSS 7.5An improper access control vulnerability in Triofox versions prior to 16.7.10368.56560 allows unauthorized access to initial setup pages after setup completion.
Affected Products:
Gladinet Triofox – prior to 16.7.10368.56560
Exploit Status:
exploited in the wildCVE-2025-62215
CVSS 7.8A race condition in the Windows Kernel allows authorized attackers to locally elevate privileges.
Affected Products:
Microsoft Windows – unspecified
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Hardware Additions
Exploitation for Privilege Escalation
Exploitation of Remote Services
Impair Defenses
Valid Accounts
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Vulnerability Management and Patching
Control ID: 6.3.3
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Continuous Identification and Remediation
Control ID: Asset Management - Patch and Vulnerability Management
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation requirements under BOD 22-01 for WatchGuard, Gladinet, and Microsoft vulnerabilities actively exploited by threat actors.
Financial Services
Banking institutions vulnerable to out-of-bounds write and access control exploits requiring immediate patching to protect customer data and payment systems.
Health Care / Life Sciences
Healthcare networks at risk from Windows race conditions and firewall vulnerabilities that could compromise patient data and critical medical systems.
Information Technology/IT
IT service providers managing WatchGuard firewalls and Triofox systems face elevated breach risk from actively exploited zero-day vulnerability campaigns.
Sources
- CISA Adds Three Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2025/11/12/cisa-adds-three-known-exploited-vulnerabilities-catalogVerified
- WatchGuard Firebox Out-of-Bounds Write Vulnerabilityhttps://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015Verified
- Triofox Vulnerability CVE-2025-12480https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480Verified
- Microsoft Security Update Guide - CVE-2025-62215https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62215Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Enforcing Zero Trust segmentation, east-west traffic inspection, and strong egress controls in cloud networks could have prevented exploitation, limited privilege escalation, contained lateral movement, disrupted command and control, and blocked data exfiltration attempts at multiple layers.
Control: Cloud Firewall (ACF)
Mitigation: Prevents unauthorized inbound connections to vulnerable services.
Control: Zero Trust Segmentation
Mitigation: Limits privilege escalation paths by enforcing least privilege network access.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized lateral movement activities.
Control: Egress Security & Policy Enforcement
Mitigation: Disrupts C2 channels by filtering unauthorized outbound traffic.
Control: Encrypted Traffic (HPE)
Mitigation: Detects and protects data in transit from packet sniffing and improper exfiltration.
Rapidly detects anomalous activity and automates incident response to minimize damage.
Impact at a Glance
Affected Business Functions
- Network Security
- Data Management
- User Authentication
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive configuration data and user credentials due to unauthorized access and code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Prioritize patching of all KEV-listed vulnerabilities and continuously monitor cloud-facing assets for exposure.
- • Deploy Zero Trust segmentation and east-west traffic controls to reduce lateral movement opportunities across workloads.
- • Enforce centralized, fine-grained egress policies to block unauthorized outbound and exfiltration attempts.
- • Implement cloud-native intrusion prevention and threat detection to identify and halt exploitation and anomaly activity early.
- • Leverage encryption visibility and identity-aware policy enforcement to ensure only authorized data exchanges occur.
