U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these flaws:

CVE-2024-12987 (CVSS score of 7.3) DrayTek Vigor Routers OS Command Injection Vulnerability – A critical OS command injection flaw in DrayTek Vigor2960 and Vigor300B (v1.5.1.4) via the Web UI allows remote attacks through the session parameter.
CVE-2025-4664 (CVSS score of 4.3) Google Chromium Loader Insufficient Policy Enforcement Vulnerability – This week Google released emergency security updates to address a Chrome browser vulnerability, tracked as CVE-2025-4664, that could lead to full account takeover. The security researcher Vsevolod Kokorin (@slonser_) discovered the vulnerability, which stems from an insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113. A remote attacker could trigger the flaw to leak cross-origin data via a crafted HTML page. Google warned of the availability of a public exploit for this high-severity flaw.
CVE-2025-42999 (CVSS score of 9.1) SAP NetWeaver Deserialization Vulnerability – SAP NetWeaver Visual Composer has a flaw allowing privileged users to upload malicious content, risking system confidentiality, integrity, and availability.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by June 5, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog.

Related Posts

A New Superman Featurette Puts Faith in Its Hero and James Gunn

TP-Link Gaming Router Vulnerability Exposes Users to Remote Code Attacks

Data on 9 Million Citizens Leaked in Cyberattack on Major US Dental Insurer

Trump’s National Security Advisor Left His Venmo Friends Public