CISA Flags Critical Apple and Microsoft Flaws in KEV Catalog Amid Active Exploits
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several high-risk vulnerabilities affecting Apple and Microsoft products to its Known Exploited Vulnerabilities (KEV) catalog, signaling urgent action is required to mitigate threats.
The newly added flaws include:
- CVE-2025-31200 – A memory corruption issue impacting multiple Apple devices.
- CVE-2025-31201 – A vulnerability allowing arbitrary read/write on Apple platforms.
- CVE-2025-24054 – A spoofing flaw in Microsoft’s NTLM that can expose user credentials.
Earlier this week, Apple rolled out emergency security updates addressing CVE-2025-31200 and CVE-2025-31201. These zero-day vulnerabilities have been exploited in a small number of advanced attacks targeting iOS users.
- CVE-2025-31200 (CoreAudio): This bug, tied to processing malicious audio streams, could lead to arbitrary code execution. Apple credits Google's Threat Analysis Group (TAG) for identifying this issue.
- CVE-2025-31201 (RPAC): This flaw allows attackers with read/write access to bypass Pointer Authentication, and Apple has mitigated it by removing the vulnerable code entirely.
These patches are available for a wide range of Apple devices, including iPhone XS and newer, various iPad Pro models, iPad Air (3rd gen and up), and more.
Though Apple hasn't disclosed in-depth technical details, the stealthy and targeted nature of the attacks suggests the involvement of sophisticated threat actors—possibly commercial spyware vendors or nation-state hackers.
Microsoft NTLM Flaw – Actively Exploited Despite "Low Likelihood" Rating
The third vulnerability, CVE-2025-24054, is a spoofing bug in Windows NTLM. Initially rated as “Exploitation Less Likely” by Microsoft, this flaw has since been actively abused in the wild. According to Check Point researchers, exploitation began as early as March 19, 2025—just over a week after Microsoft’s patch release.
The flaw can be triggered by simple user interactions with a malicious file (like right-clicking or selecting it), enabling attackers to steal NTLM hashes or user passwords. A campaign targeting entities in Poland and Romania used malicious spam emails with Dropbox links to deliver exploits that included this NTLM vulnerability.
Urgent Mitigation Required
Under Binding Operational Directive (BOD) 22-01, U.S. federal civilian agencies are mandated to remediate all listed KEV vulnerabilities by specified deadlines to reduce exposure to known and actively exploited threats.
Given the real-world exploitation of these vulnerabilities, especially in targeted espionage-like campaigns, organizations are strongly urged to apply the relevant patches without delay.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
