The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four more security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing clear evidence of active exploitation in the wild.
The latest additions span a range of technologies, some dating back more than a decade. The vulnerabilities are:
- CVE-2014-3931 (CVSS score: 9.8) – A buffer overflow vulnerability in Multi-Router Looking Glass (MRLG) that could allow remote attackers to cause an arbitrary memory write and memory corruption
- CVE-2016-10033 (CVSS score: 9.8) – A command injection vulnerability in PHPMailer that could allow an attacker to execute arbitrary code within the context of the application or result in a denial-of-service (DoS) condition
- CVE-2019-5418 (CVSS score: 7.5) – A path traversal vulnerability in Ruby on Rails’ Action View that could cause contents of arbitrary files on the target system’s file system to be exposed
- CVE-2019-9621 (CVSS score: 7.5) – A Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite that could result in unauthorized access to internal resources and remote code execution
Each presents a unique attack vector.
For the first three vulnerabilities, no public technical reports have yet surfaced describing how attackers are leveraging them in the wild. But CVE-2019-9621 tells a different story.
In September 2023, researchers at Trend Micro attributed its abuse to a China-linked threat actor known as Earth Lusca. The group reportedly used the flaw to drop web shells and deploy Cobalt Strike, acommon foothold for further compromise.
With active exploitation confirmed, Federal Civilian Executive Branch (FCEB) agencies are expected to apply the necessary updates by July 28, 2025, in line with CISA’s Binding Operational Directive 22-01.
That directive, first issued to reduce the risk of known exploited vulnerabilities, requires agencies to patch listed CVEs by CISA-defined deadlines. The KEV Catalog has now established itself as a living list of threats that carry clear and present danger to federal systems.
But the warning is not limited to government networks.
“CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” the agency stated.
The message is simple: if it’s in the catalog, it’s being exploited.
And the presence of older CVEs on the list speaks to a deeper issue. Attackers don’t need zero-days when tried-and-tested flaws remain unpatched. Command injection via PHPMailer. File disclosure through Ruby on Rails. Remote code execution in MRLG.
These threats are accessible and effective.
CISA has confirmed that it will continue adding vulnerabilities to the catalog as new evidence of exploitation comes to light.
Defenders are advised to treat the KEV list as more than a warning. It’s a call to action. Patch early. Patch often. And don’t let age fool you, some of the most dangerous flaws are the ones we’ve known about for years.
CISA has confirmed that it will continue adding vulnerabilities to the catalog as new evidence of exploitation comes to light.
- Defenders are advised to treat the KEV list as more than a warning. It’s a call to action. Patch early. Patch often. And don’t let age fool you, some of the most dangerous flaws are the ones we’ve known about for years. y in PHPMailer that could allow an attacker to execute arbitrary code within the context of the application or result in a denial-of-service (DoS) condition
- CVE-2019-5418 (CVSS score: 7.5) – A path traversal vulnerability in Ruby on Rails’ Action View that could cause contents of arbitrary files on the target system’s file system to be exposed
It Ain’t Stupid If It Works
James Maude, Field CTO at BeyondTrust, says just like fashion trends, the lifecycle of a vulnerability can be cyclical. “If you get it wrong, it can really come back to bite you. With huge volumes of vulnerabilities reported every year, the challenge many organizations face is that if they don’t patch it within the first 90 days, they might never patch it. In some cases, risks of not patching will be accepted as they may be mitigated by access controls However, once an attacker is within the network or able to access the system then those historic mitigations fail.”
As an industry, Maude continues, this should be a bit of a wake-up call that prevention isn’t dead. Software patching, implementing least privilege, and controlling execution are hugely effective defenses that shouldn’t be dismissed in favor the latest detection trends. “One of the challenges many organizations face is holistic visibility of their attack surface, that could be through unpatched software vulnerabilities or increasingly their identity attack surface both of which have likely grown significantly over the years.”
He says while many might be surprised at the age of these vulnerabilities when it comes to threat actors “it ain’t stupid if it works” and in many cases, compromising the right identity will provide access to a VPN and a network full of vulnerable systems. “When it comes, any exploit, be that one from a decade ago to a brand new zero day, the more you can control the privilege and access of identities the less risk you are exposed to. Now is the time to patch and proactively reduce the attack surface.”
Maximizing Access and Persistence
For Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit, the inclusion of these older, but actively exploited, vulnerabilities in the CISA KEV catalog cements the fact that bad actors are adept at finding and abusing unpatched software regardless of their age. “This shows that threat actors often select vulnerabilities based on their ability to maximize access, persistence, and impact within a target environment rather than their age.”
Dani says firms should not assume that only new vulnerabilities are being targeted. “What’s more is that all affected products are commonly accessible from the internet or serve as critical infrastructure—such as email servers, web application frameworks, and network diagnostic tools, making them prime targets for automated scanning and exploitation.”
To address these vulnerabilities, Dani advises organizations to:
- Conduct a thorough inventory to locate all systems running vulnerable software, including legacy and shadow IT assets.
- Dependencies should also be identified as PHPMailer can be used in web applications, Rails in other SaaS platforms.
- Limit access to diagnostic tools (like MRLG) and collaboration platforms (like Zimbra) to only trusted networks or users.
- Use network segmentation via firewalls and access control lists to minimize unnecessary exposure of services to the internet.
Age Can Amplify the Threat
Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, these additions highlight a critical, often underestimated aspect of modern cybersecurity: the persistent danger of long-standing, unpatched flaws. “Organizations cannot afford to dismiss a vulnerability listed on the KEV solely based on its discovery date. The KEV catalog provides a crucial indication that even deeply embedded, older flaws are being actively weaponized. Despite being between five and ten years old, these four vulnerabilities represent opportunities for a variety of threat actors, ranging from financially motivated cybercriminals to sophisticated state-sponsored groups.”
Sclafani argues that the age of a vulnerability can actually amplify the threat, due to the increased likelihood of unpatched instances across various systems. “Older vulnerabilities, even those dating back years, can still pose a significant threat to organizations for several reasons. Most notably, once a vulnerability is disclosed and a CVE ID is assigned, detailed information, particularly exploitation proof-of-concept (PoC) code, often becomes readily available shortly thereafter.”
The Importance of Government Advisories
He says this means that even less-skilled attackers can easily find vulnerable systems and use these exploits. “Cybercriminals also often create and share toolkits, automated scanning tools that specifically look for these well-known, unpatched vulnerabilities, making it easy to identify vulnerable organizations. There have been many examples over the years including the Equifax data breach in 2017, which was attributed to a failure to patch a known vulnerability (CVE-2017-5638) in the Apache Struts framework, which had a fix available months prior.”
The exploitation of the last vulnerability, CVE-2019-9621, by a sophisticated APT like Earth Lusca shows that these older flaws are actively researched and targeted by threat actors in complex, multi-stage cyber espionage campaigns, Sclafani explains. “The lack of public details for the exploitation of the other three CVEs, despite their KEV listing, also highlights the importance of government advisories from organizations like CISA as a vital source of actionable threat intelligence due to their unique relationships with the intelligence communities and other partners.”
Forgotten, But Not Gone
Jason Soroko, Senior Fellow at Sectigo, says these flaws illustrate how forgotten code can outlive its news cycle. Security teams should not let the publication date lull them into complacency.
- CVE-2014-3931 still lurks in aging Multi Router Looking Glass instances where the fastping buffer overflow lets a remote user corrupt memory.
- CVE-2016-10033 haunts legacy web apps that never replaced or updated PHPMailer, allowing hostile input to hijack the mail routine and run arbitrary commands.
- CVE-2019-5418 keeps exposing Ruby on Rails’ servers when crafted accept headers trick render calls into disclosing local files, with proof-of-concept chains that reach code execution in some setups.
- Only CVE-2019-9621 has a known campaign: Trend Micro tied the Earth Lusca group to widespread Zimbra breaches in 2023 that planted web shells and Cobalt Strike beacons via the SSRF bug.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.