Vulnerability Management, Patch/Configuration Management, Exposure management

XWiki and VMware flaws added to CISA list of exploited vulnerabilities

Cybersecurity and Infrastructure Security Agency CISA logotype displayed on smartphone

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Oct. 30 added two bugs to its Known Exploited Vulnerabilities (KEV) catalog.

CISA first added the 9.8 critical XWiki flaw to the KEV — CVE-2025-24893. The flaw made the KEV after VulnCheck reported earlier this week that the bug could let attackers perform a remote code execution to facilitate a cryptomining operation.

The cybersecurity agency also put a high-severity 7.8 flaw in VMware Aria Operations and VMware Tools on the KEV after Broadcom posted an advisory that CVE-2025-41244 had experienced exploitation in the wild.

“The new vulnerabilities in XWiki and VMware show how quickly threat actors take advantage of weaknesses in both external applications and local privilege paths,” said Shane Barney, chief information security officer at Keeper Security.

Barney added that the common thread here is that attackers exploit what organizations overlook. Consistent patching, least privilege, segmentation and well-practiced incident response remain the most reliable defenses against a threat landscape that never slows down.

Also on Oct. 30, CISA and the National Security Agency released best practices guidance along with international partners from Australia and Canada advising security teams to harden on-premises Microsoft Exchange Server instances from potential exploitation that run in hybrid environments.

“When CISA and NSA issue specific guidance beyond applying patches, this should serve as a call to action for industry — independent of market space, geography, or target market segment,” said Tim Mackey, head of software supply chain risk at Black Duck.

Mackey said CISOs should take any guidance signal, such as that to harden Microsoft Exchange Server installations as minimally an opportunity to refine threat models and focus on tabletop exercises. Teams should also look at this advice as an opportunity to build consensus between DevOps, IT, and business leaders on how best to invest security budgets given shifts in threat landscape.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds