Executive Summary
In March 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation. These include CVE-2025-31277 and CVE-2025-43520, both affecting Apple products with buffer overflow vulnerabilities that could lead to arbitrary code execution. CVE-2025-32432 pertains to Craft CMS, allowing code injection through improper input validation. CVE-2025-43510, another Apple-related issue, involves improper locking, potentially causing unexpected memory changes. Lastly, CVE-2025-54068 affects Laravel Livewire, enabling arbitrary code injection via the component hydration process. The inclusion of these vulnerabilities underscores the persistent threat posed by unpatched software. Organizations are urged to prioritize remediation to mitigate risks associated with these actively exploited flaws. This action aligns with CISA's Binding Operational Directive 22-01, emphasizing the importance of addressing known vulnerabilities to protect federal networks and urging all organizations to adopt similar practices.
Why This Matters Now
The active exploitation of these vulnerabilities highlights the critical need for organizations to promptly address known security flaws. Failure to do so can lead to significant data breaches and system compromises, emphasizing the urgency of proactive vulnerability management.
Attack Path Analysis
The adversary exploited vulnerabilities in Apple products and Craft CMS to gain initial access, then escalated privileges by exploiting improper locking mechanisms. They moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited buffer overflow vulnerabilities in Apple products (CVE-2025-31277) and code injection vulnerabilities in Craft CMS (CVE-2025-32432) to execute arbitrary code and gain initial access to the systems.
Related CVEs
CVE-2025-31277
CVSS 8.8A buffer overflow vulnerability in Apple products allows processing of maliciously crafted web content, potentially leading to memory corruption.
Affected Products:
Apple Safari – 18.6
Apple watchOS – 11.6
Apple visionOS – 2.6
Apple iOS – 18.6
Apple iPadOS – 18.6
Apple macOS Sequoia – 15.6
Apple tvOS – 18.6
Exploit Status:
exploited in the wildCVE-2025-32432
CVSS 10A code injection vulnerability in Craft CMS versions 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17 allows remote code execution.
Affected Products:
CraftCMS Craft CMS – 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, 5.0.0-RC1 to before 5.6.17
Exploit Status:
exploited in the wildReferences:
https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-criticalhttps://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-criticalhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-criticalhttps://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3CVE-2025-43520
CVSS 7.1A memory corruption issue in Apple products allows a malicious application to cause unexpected system termination or write kernel memory.
Affected Products:
Apple watchOS – 26.1
Apple iOS – 18.7.2, 26.1
Apple iPadOS – 18.7.2, 26.1
Apple macOS Tahoe – 26.1
Apple visionOS – 26.1
Apple tvOS – 26.1
Apple macOS Sonoma – 14.8.2
Apple macOS Sequoia – 15.7.2
Exploit Status:
exploited in the wildReferences:
https://support.apple.com/en-us/125632https://support.apple.com/en-us/125633https://support.apple.com/en-us/125634https://support.apple.com/en-us/125635https://support.apple.com/en-us/125636https://support.apple.com/en-us/125637https://support.apple.com/en-us/125638https://support.apple.com/en-us/125639CVE-2025-54068
CVSS 9.8A vulnerability in Livewire v3 up to and including v3.6.3 allows unauthenticated attackers to achieve remote command execution in specific scenarios.
Affected Products:
Livewire Livewire – v3 up to and including v3.6.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
Abuse Elevation Control Mechanism
Indicator Removal on Host
Automated Exfiltration
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to Apple and Laravel vulnerabilities requiring immediate patching of buffer overflow and code injection flaws across enterprise infrastructure and applications.
Financial Services
High-risk exposure to known exploited vulnerabilities in Apple products and web frameworks, threatening customer data and requiring urgent remediation compliance.
Health Care / Life Sciences
Significant vulnerability exposure through Apple devices and Craft CMS platforms, risking HIPAA compliance violations and patient data through active exploitation.
Government Administration
Federal agencies mandated under BOD 22-01 to immediately remediate these five KEV catalog vulnerabilities to protect against active cyber threats.
Sources
- CISA Adds Five Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/03/20/cisa-adds-five-known-exploited-vulnerabilities-catalogVerified
- NVD - CVE-2025-31277https://nvd.nist.gov/vuln/detail/CVE-2025-31277Verified
- NVD - CVE-2025-32432https://nvd.nist.gov/vuln/detail/CVE-2025-32432Verified
- NVD - CVE-2025-43520https://nvd.nist.gov/vuln/detail/CVE-2025-43520Verified
- NVD - CVE-2025-54068https://nvd.nist.gov/vuln/detail/CVE-2025-54068Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the adversary's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and disrupt operations by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The adversary's ability to exploit these vulnerabilities may have been limited by CNSF's embedded security controls, which could have restricted unauthorized code execution and initial access.
Control: Zero Trust Segmentation
Mitigation: The adversary's ability to escalate privileges could have been constrained by Zero Trust Segmentation, which may have enforced strict access controls and minimized privilege escalation paths.
Control: East-West Traffic Security
Mitigation: The adversary's lateral movement may have been restricted by East-West Traffic Security, which could have enforced strict segmentation and monitored internal traffic patterns.
Control: Multicloud Visibility & Control
Mitigation: The adversary's ability to establish command and control channels could have been limited by Multicloud Visibility & Control, which may have detected and blocked unauthorized communications.
Control: Egress Security & Policy Enforcement
Mitigation: The adversary's data exfiltration efforts may have been constrained by Egress Security & Policy Enforcement, which could have monitored and controlled outbound data flows.
The adversary's ability to cause operational disruption may have been reduced by CNSF's comprehensive security controls, which could have limited unauthorized access and actions.
Impact at a Glance
Affected Business Functions
- Web Services
- Content Management
- Mobile Applications
- Operating Systems
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user data and system information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit adversary access within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Multicloud Visibility & Control to monitor and manage network traffic across cloud environments, identifying anomalous activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Regularly update and patch systems to remediate known vulnerabilities and reduce the attack surface.
