On October 6, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This comes on the heels of five additions a few days earlier, on October 2.
The vulnerabilities included CVE-2014-6278 and CVE-2013-3918, both of which were disclosed more than a decade ago. Both flaws have a well-documented history of active exploitation, which has driven widespread awareness of patch availability. However, some systems remain exposed, likely due to incomplete patches, complex legacy dependencies, or gaps in remediation workflows.
CVE-2014-6278
CVE-2014-6278 is one of several vulnerabilities collectively known as "Shellshock". It is a group of security flaws discovered in the GNU Bash shell, which is a widely used command-line shell and scripting language for Unix-based operating systems.
Shellshock originated with CVE-2014-6271, which revealed that Bash improperly handled function definitions in environment variables, allowing remote execution of malicious commands.
CVE-2014-6278 was identified shortly after as a residual issue stemming from incomplete fixes for:
The Shellshock vulnerabilities were exploited in the wild shortly after their disclosure, with threat actors using them to build botnets and conduct denial-of-service attacks. CVE-2014-6278 carries a maximum CVSS v2 score of 10.0, indicating critical severity.
CVE-2013-3918
The other well-documented vulnerability, tracked as CVE-2013-3918, is a remote code execution issue in the legacy ActiveX component used by Internet Explorer. It holds a CVSS v2 score of 9.3 (Critical).
CVE-2013-3918 was observed in a campaign conducted by a China-based advanced persistent threat actor (APT) and later repurposed by other APTs.
CVE-2021-43798
Separately, on September 28, researchers at GreyNoise observed a surge in exploitation attempts targeting Grafana deployments affected by CVE-2021-43798.
This four-year-old Grafana vulnerability allows authentication bypass and account takeover due to improper validation of email claims in Azure Active Directory (AD). The flaw is rated with a CVSS v3.1 base score of 7.5 (High).
Proof of concept (PoC) code was made publicly available shortly after disclosure, and exploitation was first observed in late 2021.
Analyst insight
Threat actors continue to target legacy vulnerabilities that were disclosed and patched years ago but remain un-remediated in many environments.
Mitigation efforts for legacy vulnerabilities begin with verifying patch status across all systems, including those that may have been excluded from prior remediation cycles due to complex dependencies or incomplete coverage. Organizations are encouraged to disable legacy components such as Bash-based CGI scripts and Internet Explorer ActiveX controls where feasible.
For environments where legacy systems remain operational, compensating controls such as network segmentation, browser isolation, and application whitelisting can reduce exposure.
Integrating KEV entries into vulnerability management workflows and prioritizing remediation based on active exploitation status supports risk reduction. Continuous monitoring for indicators of compromise and validation of patch effectiveness is recommended to ensure long-term resilience.