U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft WSUS, and Adobe Commerce and Magento Open Source flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft WSUS, and Adobe Commerce and Magento Open Source flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below the list of flaws added to the catalog:
- CVE-2025-54236 Adobe Commerce and Magento Improper Input Validation Vulnerability
- CVE-2025-59287 Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
The vulnerability CVE-2025-54236 is an improper input validation issue. This week the e-commerce security company Sansec warned that threat actors are exploiting the critical flaw CVE-2025-54236 (CVSS 9.1), to hijack customer accounts via the REST API. The experts observed over 250 attacks hit stores in 24 hours.
Last month, Adobe issued an emergency patch to fix the flaw, dubbed SessionReaper, after researcher Blaklis responsibly disclosed it. An attacker can exploit this vulnerability to take over customer accounts. Sansec blocked over 250 SessionReaper attack attempts on e-commerce sites, with payloads delivering PHP webshells or phpinfo probes from multiple IPs.
Experts warn that the situation is critical, as only 38% of stores are patched and exploit details are already publicly available.
The second vulnerability added to the catalog, tracked as CVE-2025-59287 (CVSS score of 9.8), is a deserialization of untrusted data in Windows Server Update Service that allows an unauthorized attacker to execute code over a network.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by November 14, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
