The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog by incorporating several critical flaws, including those found in OracSKYSEA Client View, Rapid7 Velociraptor, Microsoft Windows, and IGEL OS. This proactive measure underscores the agency’s commitment to enhancing cybersecurity across various platforms and protecting sensitive information from potential threats.
Details of the Vulnerabilities
Here are the specific vulnerabilities that have been added to the catalog:
- CVE-2016-7836: SKYSEA Client View Improper Authentication Vulnerability
- CVE-2025-6264: Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
- CVE-2025-24990: Microsoft Windows Untrusted Pointer Dereference Vulnerability
- CVE-2025-47827: IGEL OS Use of a Key Past its Expiration Date Vulnerability
- CVE-2025-59230: Microsoft Windows Improper Access Control Vulnerability
The vulnerability CVE-2016-7836 within SKYSEA Client View (versions ≤ v11.221.03) poses a significant risk, enabling remote code execution due to inadequate authentication handling in TCP connections with the management console. This flaw could potentially allow unauthorized users to execute harmful commands remotely.
In the case of Rapid7 Velociraptor, the CVE-2025-6264 vulnerability is particularly concerning as it permits arbitrary command execution and could lead to endpoint takeover. The artifact Admin.Client.UpdateClientConfig was found to lack the necessary EXECVE permission, allowing users with lower privileges to modify client configurations without appropriate oversight.
Two zero-day vulnerabilities affecting Microsoft Windows have also been added to the catalog: CVE-2025-24990, found in the Agere Modem Driver, and CVE-2025-59230, located in RasMan. Both vulnerabilities facilitate privilege escalation, and Microsoft has opted to remove the vulnerable driver rather than issue a patch.
Lastly, the CVE-2025-47827 vulnerability impacts IGEL OS versions prior to 11, allowing for a Secure Boot bypass. This flaw, disclosed publicly in June 2025, enables attackers to deploy kernel-level rootkits, potentially compromising IGEL OS and virtual desktops. While exploitation typically requires physical access, it raises concerns about “evil-maid” style attacks that could capture credentials and manipulate sessions.
In accordance with Binding Operational Directive (BOD) 22-01, which aims to mitigate the significant risks posed by known exploited vulnerabilities, federal agencies are required to address these identified vulnerabilities by November 4, 2025. Experts also advise private organizations to review the KEV catalog and take necessary actions to safeguard their infrastructures against these vulnerabilities.
