CISA has added critical vulnerabilities in CrushFTP, Google Chromium, and SysAid to its Known Exploited Vulnerabilities catalog, emphasizing the need for urgent patching. Exploits against these flaws have already been observed in the wild, posing significant risks to affected systems. #CrushFTP #GoogleChromium #SysAid
Keypoints
- CISA identified and added newly exploited vulnerabilities in CrushFTP, Chrome, and SysAid to its KEV list.
- The CrushFTP flaw (CVE-2025-54309) allows attackers to gain admin privileges via HTTPS, exploited since July 18.
- A Chrome vulnerability (CVE-2025-6558) related to improper input validation has been actively exploited in the wild.
- Critical SysAid flaws (CVE-2025-2775, CVE-2025-2776) can lead to account takeover and remote code execution.
- Federal agencies are mandated to patch these vulnerabilities by August 12, 2025, per BOD 22-01.