Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild. The flaws affect the Linux kernel, Android Runtime, and Sitecore CMS.
The first vulnerability, CVE-2025-38352, is a Time-of-Check Time-of-Use (TOCTOU) race condition affecting POSIX CPU timers in the Linux kernel.
The vulnerability is a race condition within POSIX CPU timers that disrupts task cleanup and destabilizes the kernel, potentially causing system crashes, denial of service, or even privilege escalation
Originally disclosed in July 2025 and patched in kernel version 6.12.35-1 and later, the bug was not initially marked as exploited. Its inclusion in KEV now confirms attackers are using it in real-world intrusions, likely to escalate privileges on compromised Linux systems.
The second flaw, CVE-2025-48543, impacts the Android Runtime (ART), which executes Java and Kotlin applications on Android devices.
Google stated in its bulletin: “There are indications that the following [CVE-2025-38352 & CVE-2025-48543] may be under limited, targeted exploitation.”
Exploitation of CVE-2025-48543 could allow a malicious application to bypass sandbox restrictions and gain elevated system privileges, posing significant risks to Android users.
The third vulnerability, CVE-2025-53690, affects legacy Sitecore CMS deployments. It stems not from a bug in ASP.NET itself, but from misconfiguration—specifically, the reuse of a sample ASP.NET machine key included in pre-2017 Sitecore guides.
By reusing this key in production, some customers inadvertently enabled attackers who possessed the key to generate seemingly valid yet malicious ‘_VIEWSTATE’ payloads. These payloads deceived the server into deserializing and executing them, ultimately resulting in remote code execution (RCE).
Researchers at Mandiant observed exploitation of this flaw in the wild, with attackers dropping a reconnaissance backdoor called WeepSteel. The malware gathers host and network information while disguising exfiltration as normal ViewState responses.
Follow-on activity included deployment of Earthworm (a tunneling proxy), Dwagent (remote access tool), and use of 7-Zip for data exfiltration. Attackers also created rogue admin accounts (asp$, sawadmin), dumped cached credentials, and attempted token impersonation via GoTokenTheft. Persistence was achieved by disabling password expiration and registering Dwagent as a SYSTEM service
As per CISA’s Binding Operational Directive, Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by September 25, 2025. While mandatory for federal networks, CISA strongly urges all organizations to apply the available mitigations.
Related Posts:
- CVE-2025-53690: Mandiant and Sitecore Warn of Active Exploitation in ASP.NET Machine Key Configurations
- CISA Flags Active Exploits in Sitecore CMS: CVE-2019-9874 and CVE-2019-9875, PoC Publishes
- CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog
- WordPress Releases Urgent Security Patch – Update Immediately!
Donate