CISA adds five actively exploited vulnerabilities to KEV catalog

On September 29, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming their active exploitation.

Field Effect previously reported on two of these:

• CVE-2025-20352 affecting Cisco IOS and IOS XE
• CVE-2025-10035 targeting Fortra GoAnywhere Managed File Transfer (MFT)

The remaining three vulnerabilities included in KEV are as follows.

CVE-2025-59689

CVE-2025-59689 affects Libraesva’s Email Security Gateway (ESG), technology used by organizations to filter and secure inbound and outbound email traffic. The flaw is due to improper sanitization and could be triggered by an e-mail containing a malicious compressed attachment, allowing execution of commands as a non-privileged user.

The vulnerability, which received a Common Vulnerability Scoring System (CVSS) rating of 6.1, was patched on September 19, 2025.

Libraesva reported an incident of abuse, noting that the threat actor is "believed to be a foreign hostile state entity." It did not share any further details on the nature of the activity, or who may be behind it.

CVE-2025-32463

CVE-2025-32463 affects the Sudo utility, which is widely deployed in Unix and Linux systems and allows users to execute commands with elevated privileges. The vulnerability could allow a low-privilege local user to escalate their privileges to root.

It was patched on June 30, 2025. Exploitation was noted on:

• Ubuntu 24.04.1;
• Sudo 1.9.15p5, Sudo 1.9.16p2 and Fedora 41 Server;
• Sudo 1.9.15p5.

The CVSS rating is 7.8.

CVE-2021-21311

CVE-2021-21311 affects Adminer, an open-source, PHP-based database management tool that is distributed as a single file. This vulnerability is due to improper handling of external URLs during database connection setup; it could allow unauthorized access to metadata services in cloud environments.

Threat actors could also exploit it to get access to databases, perform SQL injections, or install backdoors on the server, as demonstrated by researchers.

The Common Vulnerability Scoring System (CVSS) rating is 7.2.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

CVE-2025-59689 can be mitigated by applying the patch provided by Libraesva that addresses the flaw. If upgrading is not immediately feasible, consider temporarily disabling the scanning of compressed attachments as a potential workaround. Keep in mind that this is a partial measure and may negatively affect other security functions.

Mitigation for CVE-2025-32463 requires an immediate upgrade to Sudo version 1.9.16 or later. Organizations should also audit sudoers configurations to ensure least privilege principles are enforced and environment variables are properly sanitized. The vulnerability affects versions of Sudo prior to 1.9.16, and systems relying on default or misconfigured sudoers files are particularly at risk.

Sudo is foundational to access control in Linux-based infrastructure, and exploitation could enable lateral movement across systems, installation of persistent backdoors, or disruption of critical services. In multi-tenant environments such as cloud-hosted platforms, the impact could extend to multiple clients or workloads. Exploitation of this flaw could lead to full administrative compromise of production systems, especially where Sudo is used in automation scripts or container orchestration.

When it comes to CVE-2021-21311, updating Adminer to version 4.7.9 or later eliminates the vulnerable code path that enables server-side request forgery (SSRF) attacks. However, the overall risk reduction depends on deployment context. Adminer is frequently used in development environments, but when present in production systems without proper isolation, it can introduce significant exposure.

If Adminer is exposed to the internet or lacks access controls, patching alone may not be sufficient. Organizations should ensure Adminer is isolated, access is tightly restricted, and unused instances are removed. Additional safeguards such as network segmentation and outbound request filtering can further mitigate SSRF risks.