CISA Alert: Actively Exploited Zero-Days in CrushFTP, Chrome, and SysAid Added to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with four new entries that are currently under active exploitation. These critical vulnerabilities affect a range of platforms, including CrushFTP, Google Chrome, and SysAid, and expose systems to admin compromise, remote code execution (RCE), and sandbox escapes.

CVE-2025-54309: CrushFTP Unprotected Alternate Channel Vulnerability

CrushFTP servers prior to versions 10.8.5 and 11.3.4_23 are affected by a flaw that allows remote attackers to bypass authentication when the DMZ proxy feature is not in use.

CrushFTP mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, noting the vulnerability has already been exploited in the wild in July 2025.

This bug could grant full administrative control over the server—a highly attractive target for attackers seeking to establish persistence or exfiltrate sensitive files.

CVE-2025-6558: Google Chrome GPU Sandbox Escape

This vulnerability impacts the ANGLE and GPU components in Google Chrome prior to version 138.0.7204.157. The flaw stems from improper input validation, allowing a specially crafted HTML page to escape the browser’s sandbox.

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page

Such an escape can serve as a critical link in a multi-stage attack chain, where a browser-based exploit pivots into executing code with broader privileges on the underlying system.

CVE-2025-2775 and CVE-2025-2776: SysAid On-Prem XXE Vulnerabilities

Two high-severity vulnerabilities have been discovered in SysAid’s on-premise IT service management platform. Both are classified as XML External Entity (XXE) injection flaws, which allow attackers to interfere with how XML input is parsed.

According to researchers Sina Kheirkhah and Jake Knott from watchTowr Labs, the vulnerabilities occur in the /mdm/checkin endpoint:

“A pre-authenticated XXE… trivial to exploit by means of a specially crafted HTTP POST request,” the report explains.

The implications are serious. Successful exploitation enables attackers to retrieve sensitive local files, including the InitAccount.cmd file, which contains SysAid’s admin username and plaintext password. With those credentials, the attacker can gain full administrative access, and potentially launch server-side request forgery (SSRF) or remote code execution attacks.

These issues were resolved with the release of SysAid On-Prem version 24.4.60 b16 in March 2025. However, a proof-of-concept exploit chaining these vulnerabilities has been made publicly available—heightening the urgency for immediate patching.

Urgent Recommendations

Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities by August 12, 2025, as exploitation in the wild has already been confirmed.

Related Posts:

• Researchers to release SysAid CVE-2023-47246 exploit
• Zero-Day Vulnerability in SysAid On-Prem Software
• CVE-2025-2825: Critical Vulnerability in CrushFTP Exposes Servers to Unauthenticated Access Risk
• CVE-2025-54309: CrushFTP Targeted in Active Exploits Due to Unpatched Zero-Day Vulnerability
• CrushFTP Hacked: Exploit CVE-2025-2825 with PoC and Nuclei Template