Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including severe command injection and privilege escalation flaws in Zyxel and Microsoft Windows products. Notably, CVE-2024-40891 and CVE-2024-40890 in Zyxel devices remain unpatched and can be exploited by attackers. The Windows vulnerabilities (CVE-2025-21391 and CVE-2025-21418) are being actively exploited in the wild following recent security updates.
Affected: Zyxel; Microsoft Windows
Keypoints :
- CVE-2024-40891: An unpatched command injection vulnerability in Zyxel CPE devices allowing arbitrary command execution.
- CVE-2024-40890: A post-authentication command injection vulnerability in Zyxelโs legacy firmware that can be exploited by authenticated attackers.
- CVE-2025-21391 and CVE-2025-21418: Actively exploited privilege escalation vulnerabilities in Microsoft Windows, allowing attackers to delete files and gain SYSTEM privileges.