The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added five flaws to its Known Exploited Vulnerabilities (KEV) catalog Monday, including a
Cisco IOS/IOS XE zero-day, a
critical Sudo command-line flaw and a
maximum severity vulnerability in Fortra GoAnywhere MFT.
The most severe flaw, tracked as
CVE-2025-10035, with a CVSS score of 10, is a deserialization vulnerability in the License Servlet of
Fortra’s GoAnywhere Managed File Transfer (MFT) tool. An attacker could forge a license response signature when interacting with the servlet, leading to deserialization of an attacker-controlled object, which could then lead to arbitrary command injection.
The method an unauthenticated attacker could use to construct a valid license response was described by watchTowr in a report published Sept. 24, about a week after the flaw was first disclosed. The report explained how crafting a request to the /goanywhere/license/Unlicensed.xhtml endpoint to trigger an error will lead to the generation and exposure of an encrypted token that can be decrypted and used to craft a valid license response.
In
a subsequent Sept. 25 report, watchTowr revealed evidence of in-the-wild exploitation of CVE-2025-10035, saying the flaw may have been exploited since Sept. 10, eight days prior to its disclosure. Remediation of the flaw requires upgrading to the latest release 7.8.4 or the Sustain Release 7.6.3,
according to Fortra.
Sudo flaw, CVE-2025-32463
The second most severe vulnerability is a critical flaw in the Sudo command-line utility for Linux and Unix-like operating systems. The flaw, tracked as
CVE-2025-32463, has a CVSS score of 9.3 and could enable a local attacker to execute arbitrary commands as root.
This flaw stems from the chroot feature, which was removed in the fixed version 1.9.17p1. The chroot feature changes the apparent root directory for a process and confines the command to that specific directory.
Stratascale researchers discovered that a local attacker could plant a /etc/nsswitch.conf configuration file and a corresponding malicious library into a directory, which would then be followed (instead of the legitimate config file) whenever the directory is “chrooted.” The vulnerability could potentially be exploited by any user with the ability to write files, even if the user does not have permission to run sudo commands themselves.
Cisco IOS/IOS XE vulnerability, CVE-2025-20352
Also added to the KEV Monday was the Cisco IOS/IOS XE flaw tracked as
CVE-2025-20352, which was exploited as a zero-day prior to its disclosure last week. The flaw, which has a CVSS score of 7.7, could allow a low-privileged authenticated attacker to cause a denial of service (DoS) on IOS/IOS XE devices and an authenticated attacker with high privileges to escalate privileges and execute code as root on devices running IOS XE.
The flaw can be exploited remotely by sending crafted simple network management protocol (SNMP) packets to affected devices over IPv4 or IPv6 networks. The flaw was fixed in newer releases of IOS and IOS XE, with
Cisco advising customers to use the
Cisco Software Checker to identify the appropriate fixed release for their devices.
Two lower-severity flaws — a Libraesva Email Security Gateway (ESG) command injection bug tracked as
CVE-2025-59689 and an Adminer server-side request forgery (SSRF) tracked as
CVE-2021-21311 — were also added to the KEV Monday.
Libraesva disclosed one case of exploitation
in its advisory for CVE-2025-59689 last week and provided fixes for the vulnerability in versions 5.031, 5.1.20, 5.2.31, 5.3.16, 5.4.8 and 5.5.7.
CVE-2021-21311, which was discovered in Feb. 11, 2021, was previously
reported by Google’s Mandiant to be exploited by the threat actor UNC2903 to steal AWS secret keys in 2022, and
was patched in Adminer version 4.7.9.
Federal Civilian Executive Branch (FCEB) agencies are required to mitigate all of these vulnerabilities by Oct. 20, 2025.
