CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog: ASUS Routers, Craft CMS, and ConnectWise Targeted

The Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing verified evidence of active exploitation in the wild. These flaws span multiple industries and technologies—from consumer-grade routers to enterprise-grade IT management tools.

CVE-2021-32030 & CVE-2023-39780 – ASUS Routers Hijacked in State-Linked Campaigns

Two of the newly listed vulnerabilities target ASUS routers, both of which have been exploited in a stealthy campaign attributed to a potential nation-state actor.

• CVE-2021-32030: An improper authentication flaw that was used to bypass login protections.
• CVE-2023-39780: A command injection vulnerability in ASUS RT-AX55 routers.

Security researchers at GreyNoise uncovered a large-scale exploitation campaign involving a botnet dubbed “AyySSHush”, which has compromised over 9,000 ASUS routers. The campaign uses brute-force attacks and exploits to inject an SSH public key and enable the SSH daemon on TCP port 53282, effectively giving attackers persistent backdoor access. GreyNoise’s findings echo similar activity reported by Sekoia, who noted the campaign aligns with activity they track as “Vicious Trap.” In addition to ASUS, devices from Cisco, D-Link, Linksys, QNAP, and Araknis Networks have been targeted.

CVE-2024-56145 – Craft CMS Remote Code Execution via register_argc_argv

A code injection flaw tracked as CVE-2024-56145 can lead to remote code execution when PHP’s register_argc_argv is enabled. This vulnerability affects users on misconfigured setups. Users of affected versions are affected by this vulnerability if their php.ini configuration has register_argc_argv enabled.

The developers have issued patches in versions 3.9.14, 4.13.2, and 5.5.2. For those unable to upgrade, disabling the vulnerable PHP directive is the advised workaround.

CVE-2025-35939 – Craft CMS Web Parameter Tampering for Arbitrary File Writes

A second Craft CMS flaw, CVE-2025-35939, arises from improper handling of web parameters, allowing unauthenticated users to store PHP code in session files. This opens the door to potential code execution when chained with other vulnerabilities. An unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server.

This issue is fixed in Craft CMS 5.7.5 and 4.15.3. Administrators are urged to update immediately to prevent attackers from planting malicious code in server-accessible session files.

CVE-2025-3935 – ConnectWise ScreenConnect ViewState Code Injection
Finally, CVE-2025-3935 affects ConnectWise ScreenConnect, a widely used remote IT management solution. The flaw is tied to unsafe deserialization of ASP.NET ViewState, enabling remote code execution if attackers can obtain and misuse the server’s machine keys:

While ConnectWise hasn’t explicitly confirmed exploitation, the vulnerability is considered high-risk and is suspected to have played a role in a recent breach attributed to state-sponsored attackers.

In response, Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch vulnerable systems by June 23.

Related Posts:

• Critical Security Vulnerabilities in ConnectWise ScreenConnect Demand Immediate Patching
• ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect
• ConnectWise ScreenConnect Targeted by Nation-State Actor
• Hackers Exploit Social Security Administration Branding to Deliver ConnectWise RAT
• WordPress Releases Urgent Security Patch – Update Immediately!