U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple, Rockwell, and Hikvision flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Rockwell, and Hikvision flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2023-43000 (CVSS score of 8.8) Apple Multiple products Use-After-Free Vulnerability
- CVE-2017-7921 (CVSS score of 9.8) Hikvision Multiple Products Improper Authentication Vulnerability
- CVE-2021-22681 (CVSS score of 9.8) Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
- CVE-2021-30952 (CVSS score of 8.8) Apple Multiple Products Integer Overflow or Wraparound Vulnerability
- CVE-2023-41974 (CVSS score of 7.8) Apple iOS and iPadOS Use-After-Free Vulnerability
CVE-2023-43000 is a use-after-free issue in the WebKit component. Apple addressed the vulnerability with improved memory management in macOS Ventura 13.5, iOS 16.6, iPadOS 16.6, and Safari 16.6. The flaw could allow maliciously crafted web content to trigger memory corruption.
The second flaw added to the catalog, tracked as CVE-2017-7921, is an improper authentication vulnerability that affects multiple Hikvision IP camera series running older firmware versions. The flaw occurs when the system fails to correctly verify user credentials, potentially allowing attackers to bypass authentication, escalate privileges, and gain unauthorized access to sensitive data or device controls.
The third flaw added to the catalog, tracked as CVE-2021-22681, impacts Rockwell Automation Studio 5000 Logix Designer and RSLogix 5000, allowing an unauthenticated attacker to bypass the key-based verification used to authenticate with industrial controllers. By exploiting this flaw, attackers could impersonate trusted systems and communicate with affected controllers, potentially compromising industrial automation environments.
CISA also added Apple vulnerabilities CVE-2021-30952 and CVE-2023-41974 to the catalog after Google’s Threat Intelligence Group reported the discovery of a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1. The kit includes five full exploit chains and a total of 23 exploits, including the above Apple issues.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
GTIG tracked the use of the exploit in highly targeted attacks by a surveillance vendor’s customer, in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691, showing an active market for “second-hand” zero-day exploits. Multiple threat actors now reuse and adapt these advanced techniques for new vulnerabilities.
GTIG shared the findings to raise awareness and protect users, adding identified domains to Safe Browsing.
Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by March 26, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
