U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the descriptions for these flaws:
- CVE-2024-12987 (CVSS score of 7.3) DrayTek Vigor Routers OS Command Injection Vulnerability – A critical OS command injection flaw in DrayTek Vigor2960 and Vigor300B (v1.5.1.4) via the Web UI allows remote attacks through the
session parameter.
- CVE-2025-4664 (CVSS score of 4.3) Google Chromium Loader Insufficient Policy Enforcement Vulnerability – This week Google released emergency security updates to address a Chrome browser vulnerability, tracked as CVE-2025-4664, that could lead to full account takeover. The security researcher Vsevolod Kokorin (@slonser_) discovered the vulnerability, which stems from an insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113. A remote attacker could trigger the flaw to leak cross-origin data via a crafted HTML page. Google warned of the availability of a public exploit for this high-severity flaw.
- CVE-2025-42999 (CVSS score of 9.1) SAP NetWeaver Deserialization Vulnerability – SAP NetWeaver Visual Composer has a flaw allowing privileged users to upload malicious content, risking system confidentiality, integrity, and availability.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by June 5, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)
Pierluigi Paganini
May 17, 2025
