CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Written April 3, 2026
The Cybersecurity and Infrastructure Security Agency (CISA) of the US on Friday added five security flaws affecting Apple, Craft CMS, and Laravel Livewire to its catalog known as Known Exploited Vulnerabilities (KEV), urging government agencies to fix them by April 3, 2026.
The weaknesses that have been exploited are listed below –
- CVE-2025-31277 (CVSS score: 8.8) – A vulnerability in Apple WebKit that could lead to memory corruption when processing poorly crafted web content. (Updated July 2025)
- CVE-2025-43510 (CVSS Score: 7.8) – A memory corruption vulnerability in the Apple kernel component that could allow a malicious application to cause unexpected changes in shared memory between processes. (Updated December 2025)
- CVE-2025-43520 (CVSS score: 8.8) – A memory corruption vulnerability in the Apple kernel component that could allow a malicious application to cause an unexpected system termination or write kernel memory. (Updated December 2025)
- CVE-2025-32432 (CVSS Score: 10.0) – A code injection vulnerability in a creative CMS that could allow a remote attacker to execute arbitrary code. (Updated April 2025)
- CVE-2025-54068 (CVSS Score: 9.8) – A code injection vulnerability in Laravel Livewire could allow unauthorized attackers to gain remote command execution under certain circumstances. (Updated July 2025)
The addition of three Apple vulnerabilities to the KEV catalog comes after reports from Google Threat Intelligence Group (GTIG), Verify, and Lookout about an iOS exploit kit called DarkSword that uses this flaw, along with three bugs, to deploy various malware families such as GHOSTBLADE, GHOSTGHOSTSA, and datatheBERKNIFE
CVE-2025-32432 is assessed to have been exploited as a zero-day by unknown threat actors since February 2025, according to Orange Cyberdefense SensePost. Since then, a hacking set known as Mimo (aka Hezb) has also been spotted exploiting cryptocurrency miner and proxyware vulnerabilities.
Rounding out the list is CVE-2025-54068, an exploit of which was recently flagged by the Ctrl-Alt-Intel Threat Research group as part of an attack inspired by the Iranian government-sponsored hacking group, MuddyWater (aka Boggy Serpens).
In a report published earlier this week, Palo Alto Networks Unit 42 called for consistent adversary targeting of strategic and critical infrastructure, including energy, maritime, and financial, throughout the Middle East and other strategic targets around the world.
“While social engineering remains their hallmark, the group is also expanding its technological capabilities,” said Unit 42. “Its diverse toolset includes AI-advanced malware applications that incorporate counter-strategies and long-term persistence analysis. This combination of social engineering and rapidly developed tools creates a powerful threat profile.”
“To support its massive social engineering campaigns, Boggy Serpens uses a custom-built, web-based orchestration platform,” Unit 42 said. “This tool allows operators to automate mass mailings while maintaining minimal control over sender identities and target lists.”
According to the Iranian Ministry of Intelligence and Security (MOIS), this group mainly focuses on cyber espionage, although it has also been linked to disruptive activities directed at the Technion Israel Institute of Technology by adopting the DarkBit ransomware persona.
One of the hallmarks of MuddyWater’s commercial operations has been the use of compromised accounts of legitimate government and corporate organizations in phishing attacks, as well as exploiting trusted relationships to circumvent reputation-based blocking systems and deliver malware.
In a sustained campaign targeting a national maritime company and an undisclosed force in the UAE between August 16, 2025, and February 11, 2026, a threat actor is said to have carried out four separate waves of attacks, resulting in the deployment of various malware families, including GhostBackDoor and Nuso (also known as HTTP_VIP). Other important tools in a terrorist’s arsenal include UDGangster and LampoRAT (aka CHAR).
“Boggy Serpens’ recent work shows a growing threat profile, as the group combines its established methods with refined methods to persist operations,” said Unit 42. “By diversifying its development pipeline to include modern coding languages like Rust and AI-assisted workflows, the group is creating parallel tracks that ensure the need to maintain a high operational tempo.”
