CISA Highlights Four Actively Exploited Vulnerabilities: What You Need to Know to Protect Your Organization

Cybersecurity headlines can often feel like background noise—until a threat gets close to home. The latest alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) changes the game for anyone managing or relying on digital infrastructure. On Monday, CISA added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing real-world attacks and active exploitation. If you’re responsible for your organization’s security, or simply want to understand how these flaws could impact you, this is one update you can’t afford to ignore.

In this deep dive, we’ll explain what these vulnerabilities are, why they matter, and what you can do right now to protect your systems. We’ll also explore recent technical developments around Citrix NetScaler (including the so-called “Citrix Bleed 2” flaw), dissect the risks, and answer your most pressing questions. Whether you’re a seasoned cybersecurity pro or just getting started, you’ll walk away with clear, actionable insights.

Why CISA’s KEV Updates Matter More Than Ever

Let’s face it: Security advisories come out every day. So why pay attention to this one?

Here’s the difference: The KEV catalog isn’t just a list of potential vulnerabilities—it’s a list of vulnerabilities that are actively being exploited in the wild. When something gets added to KEV, it means there’s credible evidence hackers are using it right now to break into real networks. CISA’s guidance is more than a warning; it’s a map showing where the fires are burning, not just where they could.

For organizations—especially those within the Federal Civilian Executive Branch (FCEB)—a KEV addition often triggers required action with specific remediation deadlines. But this isn’t just government red tape: private enterprises and individuals would do well to pay just as close attention.

The Four Critical Vulnerabilities Added to CISA KEV (June 2024)

1. CVE-2014-3931 — Multi-Router Looking Glass (MRLG) Buffer Overflow

CVSS Score: 9.8 (Critical)
What is it?
MRLG is a web-based tool for network diagnostics. A critical buffer overflow flaw could let attackers remotely write arbitrary data to memory, leading to memory corruption or even full system compromise.
What’s the risk?
Think of a buffer overflow like pouring too much water into a glass—the excess spills over and can cause damage. In this case, it can let an attacker overwrite parts of the program’s memory, potentially allowing them to run their own malicious code.

2. CVE-2016-10033 — PHPMailer Command Injection

CVSS Score: 9.8 (Critical)
What is it?
PHPMailer is a widely-used email-sending library in PHP apps. This flaw lets attackers inject commands that get executed on the server, opening the door to arbitrary code execution or denial-of-service (DoS) attacks.
What’s the risk?
If an attacker can control email parameters, they might sneak malicious commands past the server, turning your mail system into their playground.

3. CVE-2019-5418 — Ruby on Rails Action View Path Traversal

CVSS Score: 7.5 (High)
What is it?
Ruby on Rails is a popular web app framework. This vulnerability allows attackers to use specially crafted requests to access files outside of the intended directories, exposing sensitive files.
What’s the risk?
It’s like someone finding a hidden door in your building that leads to your filing cabinet. Files meant to stay private could become public.

4. CVE-2019-9621 — Zimbra Collaboration Suite SSRF

CVSS Score: 7.5 (High)
What is it?
Zimbra is an open-source email platform. This server-side request forgery (SSRF) vulnerability enables attackers to trick the server into making requests to internal resources or external sites, potentially leading to unauthorized access or remote code execution.
What’s the risk?
SSRF flaws are a favorite among attackers. They can use your server as a launching pad to attack internal systems or escalate access even further.

Notably: While there are no public details yet on how the first three vulnerabilities are being exploited, CVE-2019-9621 has been linked to real-world attacks, including activity by the China-linked group Earth Lusca (Trend Micro analysis).

Why These Vulnerabilities Are Being Exploited Now

You might wonder: Some of these vulnerabilities are years old—why are they suddenly hot targets?

Legacy Software and Patch Gaps: Many organizations operate on older versions of software. Attackers know this and actively scan for systems that haven’t been updated.
Automated Exploit Tools: Tools that package up these exploits make it easy, even for less-skilled attackers, to launch attacks at scale.
High Impact, Low Effort: The vulnerabilities offer attackers remote code execution or information disclosure—high reward for relatively little risk.

The bottom line? If a vulnerability is in KEV, it’s not “theoretical.” Attackers are using it today.

Spotlight on Citrix NetScaler’s “Citrix Bleed 2” (CVE-2025-5777): The Latest Active Threat

Just as the dust settles on these four KEV additions, another storm is brewing. Researchers at watchTowr Labs and Horizon3.ai have reported active exploitation of a new Citrix NetScaler ADC vulnerability, dubbed “Citrix Bleed 2” (CVE-2025-5777).

What’s the Flaw?

Type: Sensitive memory disclosure
How it works: Attackers can craft special HTTP requests that cause Citrix NetScaler endpoints to leak chunks of memory, including session tokens, credentials, and potentially other sensitive data.
Technical details: The vulnerability stems from the use of the snprintf function with a %.*s format string in handling login values. If a request is sent without a value for the login parameter, the endpoint can leak about 127 bytes of uninitialized stack memory in the HTTP response.
Why it matters: Repeated requests can eventually pull session tokens or other critical info, which can then be weaponized for deeper attacks—think privilege escalation, lateral movement, or persistence.

Real-World Exploitation: Not Just Theory

According to watchTowr CEO Benjamin Harris, they’re already seeing attackers using both CVE-2025-5777 and the related CVE-2025-6543 in the wild. This isn’t your standard “proof of concept” risk—it’s unfolding now.

Here’s why that matters:
If an attacker can steal a Citrix session token, they can access internal dashboards or services without ever needing your password. In the world of hybrid and remote work, where Citrix often sits at the heart of access management, this risk is significant.

How Attackers Are Using These Vulnerabilities

Understanding the attacker’s perspective helps clarify what’s at stake. Here’s how cybercriminals typically exploit these types of flaws:

1. Reconnaissance

Scanning the internet for systems running vulnerable versions.
Using automated tools to identify exposure.

2. Initial Access

Leveraging public exploits or proof-of-concept code.
Sending crafted requests to vulnerable endpoints.

3. Payload Delivery

For RCE: Planting web shells, deploying backdoors, or launching ransomware.
For data leaks: Harvesting session tokens, credentials, or sensitive config files.

4. Post-Exploitation

Moving laterally within the network.
Exfiltrating sensitive data.
Establishing persistence for future access.

Remember, attackers look for the “weakest link.” Even if your primary systems are patched, one forgotten legacy app can open the door to your entire network.

What Should You Do? Action Steps for Security Teams

Let’s move from theory to practice. Here’s what you should do if your organization uses any of the affected platforms—or even if you’re not sure.

1. Identify Your Exposure

Inventory your assets: Know which systems run MRLG, PHPMailer, Ruby on Rails, or Zimbra.
Check Citrix NetScaler deployments: Are you running a version vulnerable to CVE-2025-5777 or CVE-2025-6543?
Don’t forget third-party apps: Many business tools embed these components under the hood.

2. Apply Patches and Updates

For FCEB agencies, CISA mandates remediation by July 28, 2025—but don’t wait.
Vendors have released patches for these vulnerabilities. Review and apply them:
PHPMailer security updates
Ruby on Rails security updates
Zimbra security updates
Citrix security bulletins
If immediate patching isn’t possible, consider temporary mitigations like disabling vulnerable features or restricting access.

3. Harden Your Systems

Restrict network access: Limit exposure of admin interfaces to internal networks or VPN.
Implement application firewalls: Use web application firewalls (WAFs) to catch suspicious requests.
Enforce least privilege: Ensure accounts have only the permissions they need.

4. Monitor for Signs of Exploitation

Review logs: Look for failed login attempts, unexpected requests, or signs of web shell deployment.
Use threat intelligence feeds: Stay updated with CISA’s KEV catalog and vendor advisories.

5. Prepare Your Response Plan

If compromised, act fast: Isolate affected systems, reset credentials, and conduct a full forensic review.
Notify stakeholders: Transparency builds trust and helps coordinate recovery efforts.

Why Timely Action Is Non-Negotiable

It’s easy to push security updates down the to-do list, especially when everything seems to be working just fine. But here’s the reality: once a vulnerability is in KEV, attackers are already moving. Organizations that delay patching or mitigation exponentially increase their risk—not just of breach, but of lasting reputational and financial damage.

A real-world example:
When the Citrix Bleed 1 flaw was disclosed in 2023, unpatched systems were compromised within days. Attackers automated their scans, hunted for vulnerable endpoints, and, in some cases, used stolen session tokens to access sensitive internal dashboards—without tripping traditional alarms.

Don’t be the next headline. Proactive action is your best defense.

The Bigger Picture: Security Hygiene and the Patch Management Challenge

If you’re feeling overwhelmed by the constant stream of vulnerabilities, you’re not alone. Keeping up with patch management is one of the hardest jobs in IT, especially for large, distributed organizations.

So, what’s the “secret sauce” for staying ahead?

Automation: Use tools to scan, prioritize, and deploy patches. Manual processes just can’t keep up.
Risk-Based Prioritization: Not every vulnerability is equally urgent. Focus on what’s actively exploited (like those in KEV), public-facing, or business-critical.
Continuous Education: Cybersecurity is a team effort. Regularly train staff to recognize phishing, social engineering, and other common attack vectors.

Here’s the upside: Organizations with strong patch management and security hygiene are far less likely to suffer major breaches—even when zero-days appear.

Trusted Resources & Further Reading

Bookmark and regularly check these sources—they’re your lifeline for timely, authoritative updates.

Frequently Asked Questions (FAQ)

What is the CISA Known Exploited Vulnerabilities (KEV) catalog?

The KEV catalog is a list maintained by CISA that highlights security flaws confirmed to be under active exploitation in real-world attacks. It’s used by U.S. government agencies and private organizations to prioritize urgent patching and risk mitigation.

How do I know if my systems are affected?

Start by inventorying your software—check if you use MRLG, PHPMailer, Ruby on Rails, Zimbra, or Citrix NetScaler. Then, compare your versions against the vulnerability advisories. If in doubt, ask your IT or security team to review your environment.

What happens if I can’t patch immediately?

If you can’t patch right away, implement temporary mitigations. This could include disabling vulnerable functions, restricting access, or monitoring for suspicious activities until a permanent fix is possible.

Are these vulnerabilities being used in ransomware attacks?

While there’s no public evidence yet linking these specific vulnerabilities to ransomware, similar flaws have been used in the initial stages of ransomware campaigns—especially those offering remote code execution or data access.

How often does CISA update the KEV catalog?

CISA updates the KEV catalog regularly, sometimes multiple times a month, as new exploit activity is discovered. Subscribe to CISA’s alerts or RSS feed to stay informed.

Where can I find patches or mitigations for these vulnerabilities?

Patches and advisories are available from official vendor sources: – PHPMailer – Ruby on Rails – Zimbra – Citrix

Why are old vulnerabilities like CVE-2014-3931 still being exploited?

Many organizations still use legacy systems or haven’t applied available patches. Attackers know this and routinely scan for outdated software, making even years-old flaws valuable targets.

Key Takeaways: Stay Proactive, Not Reactive

Cyber threats are constantly evolving—but your defenses can, too. The addition of these four critical vulnerabilities to CISA’s KEV catalog is a wake-up call for everyone, not just government agencies. It’s a reminder that security is a moving target, and the attackers are always innovating.

Here’s what you should do next: – Inventory your systems. – Patch and mitigate immediately. – Stay informed via trusted sources. – Foster a culture of security awareness.

If you found this guide helpful, consider subscribing to our newsletter for ongoing security insights, or share it with your team to help spread awareness. When it comes to cybersecurity, knowledge—and swift action—are your best defense.

Stay safe. Stay vigilant. And remember: the best time to patch is always before the breach.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!