Current Activity

Today, CISA—in partnership with the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC)—released a joint Cybersecurity Advisory, #StopRansomware: Ghost (Cring) Ransomware. This advisory provides network defenders with indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with Ghost ransomware activity identified through FBI investigations.

Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services. These malicious ransomware actors are known to use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) where available patches have not been applied to gain access to internet facing servers. The known CVEs are CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.

CISA encourages network defenders to review this advisory and apply the recommended mitigations. See #StopRansomware and the #StopRansomware Guide for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including added recommended baseline protections.

CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-0108 Palo Alto PAN-OS Authentication Bypass Vulnerability
• CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released two Industrial Control Systems (ICS) advisories on February 18, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-191-01 Delta Electronics CNCSoft-G2 (Update A)
• ICSA-25-035-02 Rockwell Automation GuardLogix 5380 and 5580 (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA released twenty Industrial Control Systems (ICS) advisories on February 13, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-044-01 Siemens SIMATIC S7-1200 CPU Family
• ICSA-25-044-02 Siemens SIMATIC
• ICSA-25-044-03 Siemens SIPROTEC 5
• ICSA-25-044-04 Siemens SIPROTEC 5
• ICSA-25-044-05 Siemens SIPROTEC 5 Devices
• ICSA-25-044-06 Siemens RUGGEDCOM APE1808 Devices
• ICSA-25-044-07 Siemens Teamcenter
• ICSA-25-044-08 Siemens OpenV2G
• ICSA-25-044-09 Siemens SCALANCE W700
• ICSA-25-044-10 Siemens Questa and ModelSim
• ICSA-25-044-11 Siemens APOGEE PXC and TALON TC Series
• ICSA-25-044-12 Siemens SIMATIC IPC DiagBase and SIMATIC IPC DiagMonitor
• ICSA-25-044-13 Siemens SIMATIC PCS neo and TIA Administrator
• ICSA-25-044-14 Siemens Opcenter Intelligence
• ICSA-25-044-15 ORing IAP-420
• ICSA-25-044-16 mySCADA myPRO Manager
• ICSA-25-044-17 Outback Power Mojave Inverter
• ICSA-25-044-18 Dingtian DT-R0 Series
   
• ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update C)
   
• ICSMA-25-044-01 Qardio Heart Health IOS and Android Application and QardioARM A100

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

•     CVE-2024-57727 SimpleHelp Path Traversal Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA and the Federal Bureau of Investigation (FBI) have released a Secure by Design Alert, Eliminating Buffer Overflow Vulnerabilities, as part of their cooperative Secure by Design Alert series—an ongoing series aimed at advancing industry-wide best practices to eliminate entire classes of vulnerabilities during the design and development phases of the product lifecycle. “Eliminating Buffer Overflow Vulnerabilities” describes proven techniques to prevent or mitigate buffer overflow vulnerabilities through secure by design principles and best practices.

Buffer overflow vulnerabilities are a prevalent type of defect in memory-safe software design that can lead to system compromise. These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution. Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.

CISA and FBI urge manufacturers review the Alert and, where feasible, eliminate this class of defect by developing new software using memory-safe languages, using secure by design methods, and implementing the best practices supplied in this Alert. CISA and FBI also urge software customers demand secure products from manufacturers that include these preventions. Visit CISA’s Secure by Design Pledge page to learn about our voluntary pledge, which focuses on enterprise software products and services—including on-premises software, cloud services, and software as a service (SaaS).

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-24200 Apple iOS and iPadOS Incorrect Authorization Vulnerability
• CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added four vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-40891 Zyxel DSL CPE OS Command Injection Vulnerability
• CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
• CVE-2025-21418 Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability
• CVE-2025-21391 Microsoft Windows Storage Link Following Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released two Industrial Control Systems (ICS) advisories on February 11, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-319-17 2N Access Commander (Update A)
• ICSA-25-037-04 Trimble Cityworks (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA is collaborating with private industry partners to respond to reports of exploitation of a vulnerability (CVE-2025-0994) discovered by Trimble impacting its Cityworks Server AMS (Asset Management System). Trimble has released security updates and an advisory addressing a recently discovered deserialization vulnerability enabling an external actor to potentially conduct remote code execution (RCE) against a customer’s Microsoft Internet Information Services (IIS) web server. 

CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. 

CISA strongly encourages users and administrators to search for indicators of compromise (IOCs) and apply the necessary updates and workarounds. 

Review the following article for more information: 

• Trimble Advisory and IOCs for Vulnerability Affecting Cityworks Deployments 

The Symantec Threat Hunter team, part of Broadcom, contributed to this guidance. 

CISA has added one vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added five vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability
• CVE-2022-23748 Dante Discovery Process Control Vulnerability
• CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability
• CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
• CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released six Industrial Control Systems (ICS) advisories on February 6, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-037-01 Schneider Electric EcoStruxure Power Monitoring Expert (PME)
• ICSA-25-037-02 Schneider Electric EcoStruxure
• ICSA-25-037-03 ABB Drive Composer
• ICSA-25-037-04 Trimble Cityworks
• ICSMA-25-037-01 MicroDicom DICOM Viewer
• ICSMA-25-037-02 Orthanc Server

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability
• CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability
• CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability
• CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems. The published guidance is as follows:

• “Security Considerations for Edge Devices,” led by the Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment Canada.
• “Digital Forensics Monitoring Specifications for Products of Network Devices and Applications,” led by the United Kingdom’s National Cyber Security Centre (NCSC-UK).
• “Mitigation Strategies for Edge Devices: Executive Guidance” and “Mitigation Strategies for Edge Devices: Practitioner Guidance,” two separate guides led by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).

Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems. The damage can be expensive, time-consuming, and reputationally catastrophic for public and private sector organizations. These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise.

CISA and partner agencies urge device manufacturers and critical infrastructure owners and operators to review and implement the recommended actions and mitigations in the publications. Device manufacturers, please visit CISA’s Secure by Design page for more information on how to align development processes with the goal of reducing the prevalence of vulnerabilities in devices. Critical infrastructure owners and operators, please see Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products for guidance on procuring secure products.

CISA released nine Industrial Control Systems (ICS) advisories on February 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-035-01 Western Telematic Inc NPS Series, DSM Series, CPM Series
• ICSA-25-035-02 Rockwell Automation 1756-L8zS3 and 1756-L3zS3
• ICSA-25-035-03 Elber Communications Equipment
• ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC
• ICSA-25-035-05 Schneider Electric Web Designer for Modicon
• ICSA-25-035-06 Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H
• ICSA-25-035-07 Schneider Electric Pro-face GP-Pro EX and Remote HMI
• ICSA-25-035-08 AutomationDirect C-more EA9 HMI
• ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA released a fact sheet, Contec CMS8000 Contains a Backdoor, detailing an analysis of three firmware package versions of the Contec CMS8000, a patient monitor used by the U.S. Healthcare and Public Health (HPH) sector. Analysts discovered that an embedded backdoor function with a hard-coded IP address, CWE – 912: Hidden Functionality (CVE-2025-0626), and functionality that enables patient data spillage, CWE – 359: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2025-0683), exists in all versions analyzed.

Please note the Contec CMS8000 may be re-labeled and sold by resellers. For a list of known re-labeled devices, please refer to FDA’s safety communication, Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication.

Contec Medical Systems, the company which manufactures this monitor as well as other medical device and healthcare solutions, is headquartered in Qinhuangdao, China. The Contec CMS8000 is used in medical settings across the U.S. and European Union to provide continuous monitoring of a patient’s vital signs—tracking electrocardiogram, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate. CISA assesses that inclusion of this backdoor in the firmware of the patient monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration. This introduces risk to patient safety as a malfunctioning patient monitor could lead to an improper response to patient vital signs.

CISA strongly urges HPH sector organizations review the fact sheet and implement FDA's mitigations. Visit CISA’s Healthcare and Public Health Cybersecurity page to learn more about how to help improve cybersecurity within the HPH sector. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

CISA released eight Industrial Control Systems (ICS) advisories on January 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-030-01 Hitachi Energy UNEM
• ICSA-25-030-02 New Rock Technologies Cloud Connected Devices
• ICSA-25-030-03 Schneider Electric System Monitor Application in Harmony and Pro-face PS5000 Legacy Industrial PCs
• ICSA-25-030-04 Rockwell Automation KEPServer
• ICSA-25-030-05 Rockwell Automation FactoryTalk AssetCentre
   
• ICSMA-25-030-01 Contec Health CMS8000 Patient Monitor 
   
• ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update B)
• ICSMA-22-244-01 Contec Health CMS8000 Patient Monitor (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet.

• CVE-2025-24085 Apple Multiple Products Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.