CISA Adds Apple, Craft CMS, and Laravel Livewire Flaws to KEV Catalog as Active Exploitation Expands

By Ash K
CISA Adds Apple, Craft CMS, and Laravel Livewire Flaws to KEV Catalog as Active Exploitation Expands

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws affecting Apple products, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The newly added vulnerabilities are listed below -

  • CVE-2025-31277 (CVSS score: 8.8) - Apple Multiple Products Buffer Overflow Vulnerability
  • CVE-2025-32432 (CVSS score: 10.0) - Craft CMS Code Injection Vulnerability
  • CVE-2025-43510 (CVSS score: 7.8) - Apple Multiple Products Improper Locking Vulnerability
  • CVE-2025-43520 (CVSS score: 8.8) - Apple Multiple Products Classic Buffer Overflow Vulnerability
  • CVE-2025-54068 (CVSS score: 9.8) - Laravel Livewire Code Injection Vulnerability

Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the necessary mitigations by April 3, 2026, as required under Binding Operational Directive (BOD) 22-01.

While KEV deadlines apply to federal agencies, the catalog serves as a strong warning to private-sector organizations as well, given that inclusion means the flaws are no longer merely theoretical and have already been weaponized by threat actors.

Apple Flaws Added to KEV

Three of the five entries affect Apple’s ecosystem, highlighting the continued attractiveness of browser, mobile, and kernel-level bugs to sophisticated attackers.

The first of them, CVE-2025-31277, is a buffer overflow vulnerability that Apple said could lead to memory corruption when processing specially crafted web content. The issue has been patched in Safari 18.6, iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, watchOS 11.6, visionOS 2.6, and tvOS 18.6.

The flaw is notable because it has been linked to real-world exploitation. Google Threat Intelligence Group previously said the vulnerability was one of the components leveraged as part of the DarkSword iOS exploit chain.

The other two Apple vulnerabilities, CVE-2025-43510 and CVE-2025-43520, impact multiple Apple products and reside closer to the operating system core.

Apple described CVE-2025-43510 as an improper locking issue that could allow a malicious app to cause unexpected changes in memory shared between processes. CVE-2025-43520, on the other hand, is a classic buffer overflow vulnerability that could result in unexpected system termination or kernel memory writes.

Both flaws have been addressed in updates that include iOS 18.7.2, iPadOS 18.7.2, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, visionOS 26.1, tvOS 26.1, and watchOS 26.1.

Apple devices representing mobile and endpoint attack surface
The Apple KEV additions reinforce the risk posed by memory corruption and kernel-adjacent vulnerabilities across consumer and enterprise-managed devices.

Craft CMS Bug Carries Maximum Severity

Also added is CVE-2025-32432, a critical Craft CMS code injection vulnerability with a CVSS score of 10.0.

The issue, tied to the Yii framework, was fixed by Craft CMS in versions 3.9.15, 4.14.15, and 5.6.17. Days after releasing patches, the company disclosed that it had identified evidence suggesting active exploitation in the wild.

That detail makes the vulnerability particularly significant for defenders running internet-exposed content management infrastructure. In many real-world intrusions, the initial exploit is only the beginning, with attackers moving quickly to establish persistence, exfiltrate data, or deploy follow-on payloads.

Craft CMS has advised administrators to review firewall and web server logs for suspicious POST requests to the actions/assets/generate-transform endpoint, especially requests containing the string __class.

If compromise is suspected, the company recommends taking the affected site offline, removing malicious payloads and backdoors, applying the patched versions, rotating the CRAFT_SECURITY_KEY, refreshing other secrets, changing database credentials, and considering a forced password reset for users.

Laravel Livewire RCE Risk Comes Into Focus

The fifth entry, CVE-2025-54068, affects Laravel Livewire and has been described as a code injection vulnerability with a CVSS score of 9.8.

According to GitHub’s advisory, the flaw impacts Livewire v3 up to and including 3.6.3 and can, in certain scenarios, allow unauthenticated attackers to achieve remote command execution during component property update hydration.

The issue does not require user interaction, and there is currently no workaround. The only effective mitigation is to upgrade to Livewire 3.6.4 or later.

The vulnerability is a reminder that risk increasingly sits not just in operating systems and browsers, but also in developer tooling and reactive web frameworks that power modern application stacks.

Why the KEV Listing Changes the Priority

CISA’s KEV catalog is not a list of severe bugs alone. It is a list of vulnerabilities that have been exploited in real-world attacks.

That distinction matters because many organizations still prioritize patching based primarily on CVSS scores, asset criticality, or maintenance cycles. A KEV entry adds another dimension that is often more urgent than raw severity: confirmed attacker activity.

In this case, the latest additions span mobile devices, browsers, operating system internals, CMS deployments, and reactive PHP application frameworks. That breadth reflects a threat landscape in which adversaries are willing to move across layers as long as the target is reachable, valuable, and slow to patch.

Key numbers

  • 5 vulnerabilities added to KEV
  • 3 Apple flaws included in the same update
  • 1 Craft CMS vulnerability rated CVSS 10.0
  • 1 Laravel Livewire flaw rated CVSS 9.8
  • April 3, 2026 remediation deadline for federal agencies

What Organizations Should Do Next

Organizations using affected Apple products should verify that endpoints are running the latest supported releases and prioritize patching for high-risk users and sensitive environments.

Craft CMS administrators should not only patch immediately, but also hunt for suspicious requests, signs of persistence, and potential credential exposure if the vulnerable versions were internet accessible.

Development and AppSec teams using Laravel should identify whether Livewire v3 is present in production, determine whether any exposed applications are running versions up to 3.6.3, and upgrade them without delay.

The broader lesson is simple. Once a flaw lands in KEV, the question is no longer whether it deserves attention. The question is how quickly defenders can move from awareness to patching, validation, and threat hunting.

Reference Links and Sources

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.