The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The agency has directed federal organizations to apply security patches by April 3, 2026, to reduce the risk of ongoing attacks.
Affected Vulnerabilities Across Apple and Web Platforms
The newly listed vulnerabilities affect systems from Apple, Craft CMS, and Laravel Livewire. These flaws have already been observed in real-world exploitation, increasing their severity:
- CVE-2025-31277, affecting Apple WebKit, could allow memory corruption through malicious web content.
- CVE-2025-43510 , a kernel memory issue in Apple systems, may enable unexpected memory manipulation across processes.
- CVE-2025-43520 , another Apple kernel flaw, can trigger system crashes or unauthorized kernel memory writes.
- CVE-2025-32432 , a critical issue in Craft CMS, enables remote code execution via code injection.
- CVE-2025-54068 , in Laravel Livewire, allows unauthenticated attackers to execute commands remotely under certain conditions.
Active Exploitation and Malware Campaigns
Security researchers have linked several of these vulnerabilities to real-world attacks. A notable exploit chain called DarkSword has been reported by groups including Google Threat Intelligence Group, iVerify, and Lookout. This exploit kit has been used to deploy malware families such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, mainly targeting data theft.
One vulnerability, CVE-2025-32432, has reportedly been exploited as a zero-day since early 2025, enabling attackers to install cryptocurrency miners and proxyware.
Advanced Persistent Threat Activity
The MuddyWater threat group, also known as Boggy Serpens, has been actively exploiting these vulnerabilities. Linked to Iran’s intelligence services, the group focuses on cyber espionage and has targeted sectors like energy, finance, and government systems.
Security firm Palo Alto Networks noted that the group uses advanced techniques, including AI-assisted malware and social engineering, to maintain persistence and evade detection.
Their campaigns often involve spear phishing using compromised accounts belonging to trusted organizations, helping bypass security filters and increase success rates.
Ongoing Cyber Espionage Campaigns
MuddyWater has conducted long-term attacks, including a sustained campaign targeting a UAE-based marine and energy company. During multiple attack waves, they deployed malware such as GhostBackDoor and Nuso, alongside tools like UDPGangster and LampoRAT.
Their operations demonstrate a shift toward more advanced and scalable cyber attack methods, combining automation, AI-assisted development, and sophisticated phishing infrastructure.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
