07.07.2025
2 min
517
The US cybersecurity agency CISA has added four critical vulnerabilities to its KEV catalog, warning of their active use by hackers. One of them is linked to the cyberespionage group Earth Lusca.
The list includes:
CVE-2014-3931 – Buffer overflow in Multi-Router Looking Glass (score 9.8)
CVE-2016-10033 – Command injection in PHPMailer (score 9.8)
CVE-2019-5418 – Path traversal in Ruby on Rails (score 7.5)
CVE-2019-9621 – SSRF in Zimbra Collaboration Suite (score 7.5), which was already used by Chinese hackers Earth Lusca to install Cobalt Strike and a web shell.
Researchers from Horizon3.ai and watchTowr Labs have also documented active attacks on Citrix NetScaler ADC (CVE-2025-5777, “Citrix Bleed 2”). The vulnerability allows sensitive data, including HTTP requests, session tokens, and passwords, to be read by leaking portions of memory during a series of specially crafted HTTP requests without the “=” sign.
CISA urges federal agencies to fix the vulnerabilities by July 28, 2025. Meanwhile, WatchTowr and Horizon3 have shown how attackers can dump memory contents in chunks using the %.*s format in snprintf. Such leaks have already helped steal active tokens and passwords. These events once again demonstrate how old vulnerabilities remain dangerous if systems are not updated. Especially critical are cases when the weakness allows session theft or arbitrary code execution, even without authentication. Companies need to act immediately to avoid a real hack.
