The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five critical security flaws affecting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are now required to implement patches for these vulnerabilities by April 3, 2026, in an effort to curb active exploitation.
High-Risk Vulnerabilities Identified
The newly listed vulnerabilities include:
- CVE-2025-31277 (CVSS 8.8) – Apple WebKit vulnerability causing potential memory corruption via malicious web content. Patch released in July 2025.
- CVE-2025-43510 (CVSS 7.8) – Memory corruption in Apple’s kernel that can allow malicious apps to modify shared memory. Fixed December 2025.
- CVE-2025-43520 (CVSS 8.8) – Apple kernel vulnerability permitting unexpected system termination or kernel memory writes. Fixed December 2025.
- CVE-2025-32432 (CVSS 10.0) – Craft CMS code injection flaw allowing remote attackers to execute arbitrary code. Fixed April 2025.
- CVE-2025-54068 (CVSS 9.8) – Laravel Livewire code injection vulnerability enabling remote command execution in specific scenarios. Fixed July 2025.
Exploitation and Threat Actor Activity
The Apple vulnerabilities are actively exploited through an iOS exploit kit named DarkSword, according to reports from the Google Threat Intelligence Group, iVerify, and Lookout. The kit distributes malware families such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, primarily for data exfiltration.
Craft CMS’s CVE-2025-32432 has reportedly been exploited as a zero-day since February 2025. Threat actors, including the Mimo (also known as Hezb) intrusion set, have used it to deploy cryptocurrency miners and residential proxyware.
Meanwhile, the Laravel Livewire vulnerability CVE-2025-54068 has been linked to attacks by the Iranian state-sponsored hacking group MuddyWater (aka Boggy Serpens). The group has targeted diplomatic, energy, maritime, and financial sectors worldwide. Palo Alto Networks’ Unit 42 notes the group increasingly combines social engineering with advanced AI-driven malware implants to maintain persistent access to critical systems.
Evolving Threat Tactics
MuddyWater’s campaigns often leverage hijacked government and corporate accounts for spear-phishing, evading reputation-based filters while delivering malware. A recent operation targeting a national marine and energy company in the UAE involved four distinct attack waves, deploying malware including GhostBackDoor, Nuso, UDPGangster, and LampoRAT.
Unit 42 highlights that the group has expanded its development capabilities, using modern programming languages such as Rust and AI-assisted workflows to ensure operational redundancy and maintain high attack tempo. Their web-based orchestration platform automates mass email delivery while enabling precise targeting of victims.
CISA’s urgent call to patch these vulnerabilities underscores the increasing sophistication and reach of cyber threats targeting both public and private sectors. Organizations using Apple devices, Craft CMS, or Laravel Livewire are strongly advised to apply the updates immediately to prevent potential compromise.
