CISA adds four actively exploited vulnerabilities to KEV catalog

On July 7, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

These flaws, some dating back nearly a decade, are being actively exploited in the wild and affect widely used platforms including PHPMailer, Ruby on Rails, Zimbra, and Multi-Router Looking Glass (MRLG). CISA has set a remediation deadline of July 28, 2025 for federal agencies, urging all organizations to patch immediately. 

The following vulnerabilities were added to the KEV catalog.

CVE-2014-3931

CVSS score: 9.8

CVE-2014-3931 is a buffer overflow in Multi-Router Looking Glass (MRLG) that could allow remote threat actors to write arbitrary memory and potentially execute code.

While MRLG isn’t widely deployed, it's often used in telecom or academic environments for network diagnostics. Any exposure on internet-facing systems can be used as a foothold to network infrastructure. Consider segmentation and access restrictions for tools like MRLG even after patching.

CVE-2016-10033

CVSS score: 9.8

CVE-2016-10033 is a command injection flaw in PHPMailer that could enable injection of system-level commands via malicious email headers.

PHPMailer is widely embedded in web applications for sending email. Legacy and third-party web apps may unknowingly bundle vulnerable PHPMailer versions. This is a prime candidate for a software bill of materials (SBOM) audit and a broader application security review.

CVE-2019-5418

CVSS score: 7.5

CVE-2019-5418 is a path traversal vulnerability in Ruby on Rails (Action View) that could expose sensitive files on the server.

Even though the CVE is six years old, it persists in legacy systems that haven’t been upgraded to modern Rails frameworks. This flaw is a good candidate to add into tech debt remediation roadmaps and secure development lifecycle (SDLC) reviews.

CVE-2019-9621

CVSS score: 7.5

CVE-2019-9621 is a server-side request forgery (SSRF) in Zimbra Collaboration Suite (ZCS) that could be used to extract confidential information such as authentication tokens, configuration files, or internal service responses.

This flaw has been exploited by nation-state actors, such as China-linked Earth Lusca, for reconnaissance and payload delivery. Threat actors were able to trick the Zimbra server into making requests to internal systems that are normally inaccessible from the outside.

Zimbra, often favored by mid-sized organizations, becomes a high-value target when used to support email or collaboration systems.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst notes:

Even though these vulnerabilities were disclosed years ago, their continued exploitation and inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog in 2025 signals that many systems that remain unpatched or misconfigured can become modern attack vectors.

The active exploitation of years-old flaws underscores the importance of continuous vulnerability management and proactive patching.

To mitigate the newly added KEV vulnerabilities, organizations should perform an immediate inventory and assessment of systems using MRLG, PHPMailer, Ruby on Rails, and Zimbra. Apply the latest vendor patches without delay and implement strict access controls and monitoring, especially around web and email services. Prioritize detection of suspicious activity tied to older software components, and reinforce segmentation where legacy systems remain operational.