CVE-2025-20352 — Cisco IOS and IOS XE — Cisco IOS and IOS XE Stack-based Buffer Overflow Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-10-20
CVE-2025-10035 — Fortra GoAnywhere MFT — Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-10-20
CVE-2025-59689 — Libraesva Email Security Gateway — Libraesva Email Security Gateway Command Injection Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-10-20
CVE-2025-32463 — Sudo Sudo — Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-10-20
CVE-2025-20333 — Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense — Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability
Action: The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Due: 2025-09-26
CVE-2025-20362 — Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense — Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability
Action: The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Due: 2025-09-26
CVE-2025-10585 — Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-10-14
CVE-2025-5086 — Dassault Systèmes DELMIA Apriso — Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-10-02
CVE-2025-53690 — Sitecore Multiple Products — Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-25
CVE-2025-48543 — Android Runtime — Android Runtime Unspecified Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-25
CVE-2025-38352 — Linux Kernel — Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-25
CVE-2025-9377 — TP-Link Multiple Routers — TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-24
CVE-2023-50224 — TP-Link TL-WR841N — TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-24
CVE-2025-55177 — Meta Platforms WhatsApp — Meta Platforms WhatsApp Incorrect Authorization Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-23
CVE-2020-24363 — TP-Link TL-WA855RE — TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-23
CVE-2025-57819 — Sangoma FreePBX — Sangoma FreePBX Authentication Bypass Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-19
CVE-2025-7775 — Citrix NetScaler — Citrix NetScaler Memory Overflow Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-08-28
CVE-2024-8069 — Citrix Session Recording — Citrix Session Recording Deserialization of Untrusted Data Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-15
CVE-2024-8068 — Citrix Session Recording — Citrix Session Recording Improper Privilege Management Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-15
CVE-2025-48384 — Git Git — Git Link Following Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-15
CVE-2025-43300 — Apple iOS, iPadOS, and macOS — Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-11
CVE-2025-54948 — Trend Micro Apex One — Trend Micro Apex One OS Command Injection Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-09-08
CVE-2025-8875 — N-able N-Central — N-able N-Central Insecure Deserialization Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-08-20
CVE-2025-8876 — N-able N-Central — N-able N-Central Command Injection Vulnerability
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due: 2025-08-20