Active Exploits: CISA Adds Critical Craft CMS and Apple ‘DarkSword’ Flaws to KEV
Do Son 
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding five high-impact flaws that are currently being weaponized by threat actors in the wild. The list includes critical vulnerabilities impacting Apple devices and the Craft CMS platform, some of which have been linked to the sophisticated DarkSword iOS exploit chain.
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are now required to remediate these flaws by April 3, 2026, to protect their networks from active intrusion.
The most critical additions to the catalog target popular web development frameworks, providing attackers with a direct path to server takeover:
- CVE-2025-32432 (Craft CMS): Boasting a maximum CVSS score of 10.0, this code injection flaw allows for low-complexity remote code execution (RCE). It impacts versions 3.x, 4.x, and 5.x, serving as a critical secondary fix for a previously known vulnerability.
- CVE-2025-54068 (Laravel Livewire): With a CVSS score of 9.2, this flaw allows unauthenticated attackers to achieve remote command execution. The issue stems from how certain component property updates are hydrated. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction.
CISA also added multiple vulnerabilities impacting Appleβs iOS, macOS, and Safari (including CVE-2025-31277, CVE-2025-43520 and CVE-2025-43510). These memory corruption and locking flaws are being triggered by “maliciously crafted web content,” a hallmark of sophisticated “watering hole” attacks.
These vulnerabilities are not just isolated bugs; they are documented components of the DarkSword exploit kit. As reported by Google Threat Intelligence Group (GTIG), DarkSword has been weaponized by multiple threat actors to deploy a suite of “Ghost” malware families:
- GHOSTBLADE: A JavaScript-based dataminer that “steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts.”
- GHOSTKNIFE: A persistent backdoor used for exfiltrating signed-in accounts and location history.
- GHOSTSABER: A JavaScript backdoor capable of enumerating devices, listing files, and executing arbitrary code.
Immediate Remediation Steps:
- Framework Updates: Immediately upgrade Craft CMS to version 3.9.15, 4.14.15, or 5.6.17, and update Laravel Livewire to version 3.6.4 or later.
- Apple Fleet Patching: Ensure all managed iPhones, iPads, and Macs are updated to the latest OS versions (e.g., iOS 18.7.2 and corresponding Safari/macOS updates) to break the DarkSword infection chain.
- Endpoint Hunting: Scan for indicators of compromise (IoCs) related to the GHOSTBLADE and GHOSTSABER payloads, particularly on devices belonging to high-value targets like journalists or government officials.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
