CISA Adds Critical Vulnerabilities to the KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) catalog, highlighting two serious security flaws affecting both Erlang/Open Telecom Platform (OTP) SSH and Roundcube Webmail. This addition comes on the heels of confirmed active exploitation of these vulnerabilities.
Overview of the Vulnerabilities
The concerning vulnerabilities are as follows:
- CVE-2025-32433 (CVSS score: 10.0): This flaw involves a missing authentication issue within the Erlang/OTP SSH server. It allows unauthorized users to execute arbitrary commands, raising the risk of unauthorized remote code execution. This vulnerability was patched in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.
- CVE-2024-42009 (CVSS score: 9.3): This cross-site scripting (XSS) vulnerability in RoundCube Webmail could enable attackers to capture and send emails from a victim’s account through specially crafted messages. The issue stems from a desanitization error in the mail processing script located in program/actions/mail/show.php. A fix for this vulnerability was released in August 2024 with versions 1.6.8 and 1.5.8.
Exploitation Insights
At this point, specific details about how these vulnerabilities are being exploited in real time remain scarce. Recent reports indicate that the cyber threat actor known as APT28, linked to Russian state-sponsored activities, has exploited multiple XSS vulnerabilities in applications like Roundcube and others. It’s still uncertain whether CVE-2024-42009 is connected to their actions.
Censys, a cybersecurity data platform, has identified approximately 340 exposed Erlang servers globally. However, it’s important to note that not all of these servers are necessarily vulnerable. The public disclosure of CVE-2025-32433 has already led to the emergence of several proof-of-concept (PoC) exploits, raising concerns among cybersecurity experts.
Given this active exploitation landscape, Federal Civilian Executive Branch (FCEB) agencies have been mandated to implement the necessary fixes by June 30, 2025, in order to safeguard their systems.
Additional Security Concerns with WordPress Plugins
In a related development, Patchstack has identified a critical account takeover vulnerability in the PayU CommercePro plugin for WordPress, designated as CVE-2025-31022, which has garnered a CVSS score of 9.8. This vulnerability can allow attackers to take control of any user account on a site, including those with administrative privileges, without requiring authentication.
The issue arises from a function known as “update_cart_data()”, invoked via an endpoint called “/payu/v1/get-shipping-cost.” This function checks for a valid email address before processing an e-commerce order. However, the mechanism is flawed, as it hard-codes the email “commerce.pro@payu[.]in,” and there exists another API to generate authentication tokens, thus allowing an attacker to exploit the system easily.
Website owners using this plugin are urged to deactivate and remove it until developers issue a fix.
Patchstack emphasized the importance of securing unauthenticated REST API endpoints and criticized the practice of hard-coding sensitive information in the codebase.
The Scope of Roundcube Vulnerabilities
In terms of exposure, Censys reports a staggering 2,473,116 publicly accessible Roundcube Webmail instances, with many located in Europe and North America. This significant number indicates a broad attack surface that malicious actors could potentially exploit.
