U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the descriptions for these flaws:
- CVE-2025-54309 CrushFTP Unprotected Alternate Channel Vulnerability
- CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
- CVE-2025-2776 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
- CVE-2025-2775 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
This week CrushFTP warned of a zero-day, tracked as CVE-2025-54309 (CVSS score of 9.0), that has been exploited since July 18 via HTTPS. The flaw in the managed file transfer software CrushFTP allows attackers to gain administrative privileges on vulnerable servers via HTTPS. The attackers reversed older code to exploit a bug that had been patched in versions released before July 1.
Last week, Google released fixes for six Chrome flaws, including one actively exploited in the wild tracked as CVE-2025-6558 (CVSS score of 8.8). CVE-2025-6558 stems from improper validation of untrusted input in Chrome’s ANGLE and GPU components.
Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group reported the vulnerability on June 23, 2025. Google’s TAG team investigates attacks by nation-state actors and commercial spyware vendors. One of these threat actors likely exploited the issue in the wild.
Three critical flaws (CVEs 2025-2775, CVEs 2025-2776, CVEs 2025-2777) in SysAid’s on-prem software could let attackers take over admin accounts or read server files via unsafe XML input. When chained with a previous bug (CVE-2024-36394), they may even enable remote code execution. SysAid fixed the issues in version 24.4.60 build 16 (March 2025).
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by August 12, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)
