Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch them by April 3, 2026. The vulnerabilities that have come under exploitation are listed below - CVE-2025-31277 (CVSS score: 8.8) - A vulnerability in Apple
Analysis Summary
Below is the summary of the high-risk vulnerabilities recently added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
# Vulnerability: Multiple Flaws in Apple, Craft CMS, and Laravel Livewire
## CVE Details
* **CVE-2025-32432**: CVSS 10.0 (Critical) | CWE: Code Injection
* **CVE-2025-54068**: CVSS 9.8 (Critical) | CWE: Code Injection
* **CVE-2025-31277**: CVSS 8.8 (High) | CWE: Memory Corruption
* **CVE-2025-43520**: CVSS 8.8 (High) | CWE: Memory Corruption
* **CVE-2025-43510**: CVSS 7.8 (High) | CWE: Memory Corruption
## Affected Systems
* **Products**:
* **Apple**: WebKit, iOS Kernel.
* **Craft CMS**: Content Management System core.
* **Laravel Livewire**: Full-stack framework for Laravel.
* **Versions**: Specific versions prior to patches released in 2025.
* **Configurations**:
* **Apple**: Processing malicious web content or running malicious local applications.
* **Laravel Livewire**: Specific unauthenticated scenarios leading to RCE.
## Vulnerability Description
This group of vulnerabilities includes critical flaws across three distinct ecosystems:
1. **Apple (WebKit/Kernel):** Memory corruption bugs in WebKit allow for RCE via web content, while kernel-level flaws allow malicious apps to write to kernel memory or cause system termination.
2. **Craft CMS:** A code injection flaw that permits remote attackers to execute arbitrary code on the hosting server.
3. **Laravel Livewire:** A code injection vulnerability that allows unauthenticated remote command execution (RCE) in specific configurations.
## Exploitation
* **Status**: **Exploited in the wild.**
* **Apple:** Exploited by the "DarkSword" iOS exploit kit (linked to GHOSTBLADE/GHOSTKNIFE malware).
* **Craft CMS:** Exploited as a zero-day since Feb 2025 by the "Mimo" (Hezb) group for crypto-mining.
* **Laravel Livewire:** Exploited by "MuddyWater" (Iranian state-sponsored group) for espionage and infrastructure attacks.
* **Complexity**: Low to Medium
* **Attack Vector**: Network (Craft CMS, Laravel, WebKit) and Local (Apple Kernel).
## Impact
* **Confidentiality**: High (Data theft and espionage).
* **Integrity**: High (Arbitrary code execution and system modification).
* **Availability**: High (System termination and unauthorized resource use for mining).
## Remediation
### Patches
* **Apple WebKit (CVE-2025-31277):** Fixed in July 2025.
* **Apple Kernel (CVE-2025-43510, CVE-2025-43520):** Fixed in December 2025.
* **Craft CMS (CVE-2025-32432):** Fixed in April 2025.
* **Laravel Livewire (CVE-2025-54068):** Fixed in July 2025.
### Workarounds
* Apply vendor-specific security updates immediately. CISA has mandated federal agencies to patch these by **April 3, 2026**.
* Restrict public access to administrative CMS interfaces where possible.
## Detection
* **Indicators of Compromise**: Monitor for unauthorized cryptocurrency mining activity (Mimo), persistent iOS malware families (GHOSTBLADE/GHOSTSABER), and unusual outbound traffic from Laravel installations.
* **Detection Methods**: Use vulnerability scanners to identify unpatched instances of Craft CMS and Laravel. Deploy EDR and MDM solutions to detect iOS exploit kits on mobile devices.
## References
* CISA KEV Catalog: hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog
* Apple Security Updates: hxxps://support.apple.com/en-us/HT201222
* Unit 42 Threat Assessment: hxxps://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/
* NVD Detail: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-32432