The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog, incorporating critical flaws associated with WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox. These additions underscore the ongoing need for vigilance in cybersecurity practices across various platforms.
Details of Newly Cataloged Vulnerabilities
Among the newly listed vulnerabilities is CVE-2025-9242, a significant issue affecting WatchGuard Fireware with a CVSS score of 9.3. This vulnerability allows unauthenticated attackers to execute arbitrary code through an out-of-bounds write flaw. It impacts several versions of Fireware OS, specifically from 11.10.2 to 11.12.4_Update1, as well as versions 12.0 to 12.11.3 and 2025.1.
The advisory notes: “An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.” The risk remains even if VPNs are deleted, provided that a branch office VPN to a static gateway is still in place.
This vulnerability is particularly concerning as it enables attackers to exploit the IKEv2 VPN service, which is accessible from the internet, thereby allowing pre-authentication exploitation. Its characteristics make it a prime target for ransomware actors, necessitating immediate attention and patching.
Another critical addition to the catalog is the Gladinet Triofox flaw, tracked as CVE-2025-12480. This improper access control vulnerability was identified by Google’s Mandiant researchers, who reported that threat actors had been exploiting it to bypass authentication and upload remote access tools via the platform’s antivirus feature. Mandiant has linked this ongoing exploitation to threat cluster UNC6485.
In their investigation, Mandiant detected suspicious activities on a customer’s Triofox server, including PLINK-based RDP tunneling and file downloads. This vulnerability marks the third Triofox issue exploited this year, following CVE-2025-30406 and CVE-2025-11371. The recent update restricts access to configuration pages post-setup, yet attackers previously leveraged unauthenticated access to establish a new admin account, dubbed “Cluster Admin,” for further malicious endeavors.
Additionally, CISA has included the Microsoft Windows race condition vulnerability CVE-2025-62215 in its catalog. Microsoft has issued warnings regarding this flaw, which has a CVSS score of 7 and is currently under active attack. The advisory states: “Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Kernel allows an authorized attacker to elevate privileges locally.” Successful exploitation could enable an attacker to gain SYSTEM privileges.
In accordance with Binding Operational Directive (BOD) 22-01, which aims to mitigate the significant risks posed by known exploited vulnerabilities, federal agencies are mandated to address these vulnerabilities by December 3, 2025. Experts also advise private organizations to review the KEV catalog and take necessary actions to fortify their infrastructure against potential threats.
