As cybersecurity threats evolve, the recent addition of two significant vulnerabilities to the Cybersecurity and Infrastructure Security Agency‘s (CISA) Known Exploited Vulnerabilities (KEV) Catalog highlights urgent concerns for organizations reliant on certain technologies.
The vulnerabilities identified by CVE-2025-32433 and CVE-2024-42009 demonstrate varying degrees of risk, both of which are actively exploited in the wild. CVE-2025-32433 pertains to the Erlang SSH vulnerability, characterized as a critical remote code execution (RCE) issue with a maximum CVSS score of 10. This flaw allows unauthenticated attackers to gain remote system access, potentially leading to complete system compromise. Evidence of active exploitation increases the urgency for organizations to act. Recently, CISA added CVE-2025-32433 urgently urging organizations to secure their systems.
Affected systems mainly comprise Erlang/OTP SSH servers, which are increasingly utilized in telecommunications and Internet of Things (IoT) applications. The risks were recently amplified following the public release of a proof-of-concept exploit. As a result, organizations are urged to apply the necessary patches, which became available on April 16, 2025, to mitigate this critical threat.
On the other hand, CVE-2024-42009 addresses a cross-site scripting (XSS) vulnerability in Roundcube Webmail. Even though it is not as severe as its Erlang counterpart, this vulnerability allows attackers to inject malicious scripts into user sessions, which can result in unauthorized access and session hijacking.
Roundcube has issued security updates to rectify these vulnerabilities; therefore, applying the latest updates remains vital for safeguarding against exploitation.
The KEV Catalog serves as a crucial tool for both federal and non-federal organizations, guiding vulnerability prioritization and remediation efforts.
Importantly, Binding Operational Directive 22-01 mandates that federal agencies remediate these issues swiftly. Subscribers have the option to receive timely updates, reflecting CISA’s commitment to bolstering organizational security across diverse sectors.
To summarize, the presence of the Erlang SSH and Roundcube vulnerabilities on the KEV list highlights the critical need for immediate action to safeguard systems against potential threats.
