The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of flaws is as follows –
- CVE-2014-3931 (CVSS score: 9.8) – A buffer overflow vulnerability in Multi-Router Looking Glass (MRLG) that could allow remote attackers to cause an arbitrary memory write and memory corruption
- CVE-2016-10033 (CVSS score: 9.8) – A command injection vulnerability in PHPMailer that could allow an attacker to execute arbitrary code within the context of the application or result in a denial-of-service (DoS) condition
- CVE-2019-5418 (CVSS score: 7.5) – A path traversal vulnerability in Ruby on Rails’ Action View that could cause contents of arbitrary files on the target system’s file system to be exposed
- CVE-2019-9621 (CVSS score: 7.5) – A Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite that could result in unauthorized access to internal resources and remote code execution
There are currently no public reports on how the first three vulnerabilities are being exploited in real-world attacks. The abuse of CVE-2019-9621, on the other hand, was attributed by Trend Micro to a China-linked threat actor known as Earth Lusca in September 2023 to drop web shells and Cobalt Strike.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary updates by July 28, 2025, to secure their networks.
Technical Details of Citrix Bleed 2 Out
The development comes as watchTowr Labs and Horizon3.ai have released technical analyses for a critical security flaw in Citrix NetScaler ADC (CVE-2025-5777 aka Citrix Bleed 2), which is assessed to have come under active exploitation.
“We’re seeing active exploitation of both CVE-2025-5777 and CVE-2025-6543 in the wild,” watchTowr CEO Benjamin Harris told The Hacker News. “This vulnerability allows reading of memory, which we believe attackers are using to read sensitive information (for example, information sent within HTTP requests that are then processed in-memory), credentials, valid Citrix session tokens, and more.”
The findings show that it’s possible to send a login request to the “/p/u/doAuthentication.do” endpoint and cause it (and other endpoints susceptible to the flaw) to reflect the user-supplied login value in the response, regardless of success or failure.
Horizon3.ai noted that the vulnerability could be used to leak approximately 127 bytes of data via a specially crafted HTTP request with a modified “login=” without an equal sign or value, thereby making it possible to extract session tokens or other sensitive information.
The shortcoming, watchTowr explained, stems from the use of the snprintf function along with a format string containing the “%.*s” format.
“The %.*s format tells snprintf: ‘Print up to N characters, or stop at the first null byte (\0) – whichever comes first.’ That null byte eventually appears somewhere in memory, so while the leak doesn’t run indefinitely, you still get a handful of bytes with each invocation,” the company said.
“So, every time you hit that endpoint without the =, you pull more uninitialized stack data into the response. Repeat it enough times, and eventually, you might land on something valuable.”
