Pierluigi Paganini June 17, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple products, and TP-Link routers flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple products, and TP-Link routers flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these flaws:

• CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability
• CVE-2023-33538 (CVSS score 8.8) TP-Link Multiple Routers Command Injection Vulnerability

Last week, Apple confirmed that the now-patched vulnerability CVE-2025-43200 in its Messages app was actively exploited in the wild to target journalists with Paragon’s Graphite spyware.

The IT giant addressed the flaw CVE-2025-43200 on February 10, 2025, with the release of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. The same versions also addressed the WhatsApp vulnerability CVE-2025-24200 that was exploited in “extremely sophisticated” targeted attacks.

“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link.” reads the advisory published by the company. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

The company addressed this vulnerability by implementing improved checks.

This week, Citizen Lab confirmed that Paragon’s Graphite spyware was used to hack fully updated iPhones, targeting at least two journalists in Europe. The group found forensic evidence showing the phones had communicated with the same spyware server. Apple quietly alerted the victims earlier this year, marking the first confirmed case of Paragon’s tools being used in real-world attacks.

On April 29, 2025, Apple alerted select iOS users of spyware targeting. Forensic analysis confirmed that two journalists, including Ciro Pellegrino, were infected with Paragon’s Graphite spyware. Both cases were linked to the same attacker. Apple has since patched the zero-click exploit used in the attack, now tracked the flaw as CVE-2025-43200, in iOS version 18.3.1.

Early this week, Paragon accused the Italian government of refusing its offer to help investigate spyware use against a journalist. The company said this led to its decision to end contracts in Italy. Paragon claimed it proposed a way to verify if its tools were misused, but authorities declined. This marks the first time a spyware firm publicly cut ties with a client over alleged abuse. Paragon confirmed the statement’s accuracy but declined further comment.

The second vulnerability added by CISA to its KeV catalof is a command injection vulnerability in the /userRpm/WlanNetworkRpm component that impacts several TP-Link router models (TL-WR940N, TL-WR841N, TL-WR740N).

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by July 7, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)