Ddos The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing confirmed in-the-wild exploitation of both flaws. The entries include a zero-click iOS vulnerability exploited by mercenary spyware and a command injection flaw in TP-Link routers used for remote code execution.
Tracked as CVE-2025-43200, this vulnerability affects multiple Apple products and stems from a logic flaw in handling photos and videos shared via iCloud Links. Apple patched the issue in iOS 18.3.1, released on February 10, 2025. However, exploitation had already begun by early 2025.
The flaw, according to Apple, was a logic issue triggered by processing a maliciously crafted photo or video shared via an iCloud Link.
According to an investigation by Citizen Lab, the exploit was deployed using Paragon’s Graphite spyware, a commercial surveillance platform used in targeted attacks. The spyware was delivered through a zero-click iMessage exploit and affected devices running iOS 18.2.1.
Once the vulnerability was triggered, the spyware initiated contact with a command-and-control server (46.183.184[.]91), quietly installing surveillance tools without the victim’s interaction or knowledge.
The second actively exploited flaw, CVE-2023-33538, targets several models of TP-Link wireless routers, including TL-WR940N V2/V4 and TL-WR841N V8/V10. This vulnerability resides in the /userRpm/WlanNetworkRpm web interface component and allows attackers to exploit the ssid1 GET parameter to inject system-level commands.
A crafted HTTP request can trigger command injection, enabling remote attackers to run arbitrary commands on the device. This could lead to full device compromise, lateral movement across networks, or even enlistment into botnets.
In response, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies remediate the vulnerabilities by July 7, 2025.
Donate