Application security, Vulnerability Management, Patch/Configuration Management, Exposure management

TP-Link bug, WhatsApp zero-day added to list of exploited vulnerabilities

A TP-Link TL-WA855RE flaw and a WhatsApp zero-day were added to the Known Exploited Vulnerabilities (KEV) list by the Cybersecurity and Infrastructure Security Agency (CISA).

The TP-Link bug — CVE-2020-24363 — was a high-severity vulnerability at 8.8, while the WhatsApp flaw — CVE-2025—55177 — was rated medium with a 5.4 CVSS rating.

Mayuresh Dani, security research manager at the Qualys Threat Research Unit, said the addition of CVE-2020-24363 to the KEV showed that there’s an ongoing exploitation of unmaintained legacy devices, and that the TP-Link devices have not been upgraded even after a period of five years.

“These devices will remain permanently vulnerable in environments where replacement isn't immediate, providing threat actors with a reliable foothold for lateral movement within networks,” said Dani.  

Dani said CVE-2025-55177 represents advanced exploitation techniques that’s exacerbated when combined with CVE-2025-43300, the Apple ImageIO framework vulnerability for a complete device compromise.

“This zero-click WhatsApp vulnerability represents an evolution in messaging platforms by successfully chaining OS-level vulnerabilities,” said Dani. “The combination of widespread legacy device deployment, existence of similar vulnerabilities and confirmed commercial spyware campaigns warrants the inclusion of these vulnerabilities and their prioritization and remediation efforts across both federal and private sector environments.”

Jason Soroko, senior fellow at Sectigo, said the TP-Link flaw is a textbook example of an old, high-scoring bug still actively abused because devices remain in the field long after end of support. A trivial reset-and-takeover path for an attacker on the local network makes it low effort and high reward, which is exactly the kind of thing CISA wants off critical environments.

“The KEV listing is a reminder that consumer-grade gear often lingers unpatched and becomes a soft target,” said Soroko

Soroko added that the WhatsApp case is a moderate severity flaw on paper, but it’s part of a sophisticated chain against high-value targets. Soroko said the KEV listing signals that even flaws with modest CVSS scores can be dangerous when combined with other zero-days in commercial spyware operations.

“Both entries highlight that exploitation in the wild is what drives KEV inclusion, not theoretical impact scores, and that defenders should weigh exposure and threat activity over CVSS numbers alone,” said Soroko

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BugBusiness Email Compromise (BEC)Cache CrammingClientCookieCorruptionCovert ChannelsData MiningDenial of ServiceDictionary Attack

You can skip this ad in 5 seconds