Listen to this Post
Introduction
The U.S. Cybersecurity and Infrastructure Security Agency continues to sound the alarm as real-world cyberattacks accelerate faster than patch cycles. In its latest update to the Known Exploited Vulnerabilities catalog, CISA confirmed that multiple critical flaws across Cisco, SonicWall, and ASUS products are being actively abused in the wild. These are not theoretical weaknesses or lab-based proofs of concept. They are operational attack vectors already leveraged by threat actors to gain root-level access, deploy persistence mechanisms, and compromise enterprise and government infrastructure. The update reinforces a hard truth for defenders, delayed remediation now directly translates into elevated breach risk.
the Original Report
CISA added several high-impact vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming active exploitation. Among the most severe is a remote command execution flaw affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, tracked as CVE-2025-20393. Cisco disclosed that attackers targeted a limited set of appliances exposed to the internet with specific ports open. Exploitation allowed threat actors to execute arbitrary commands with root privileges and implant persistence mechanisms to retain long-term access.
Cisco acknowledged discovering the campaign on December 10, noting that compromised appliances ran AsyncOS software. The investigation revealed that attackers were not only gaining initial access but also ensuring ongoing control, a clear indicator of advanced intrusion activity rather than opportunistic scanning.
Another vulnerability added to the catalog is CVE-2025-40602, a local privilege escalation flaw in the SonicWall SMA1000 appliance management console. SonicWall warned that this issue was exploited as a zero-day in real-world attacks. Although SonicWall firewall products were not affected, SMA1000 appliances were exposed to serious risk.
The vendor confirmed that attackers chained CVE-2025-40602 with another critical vulnerability, CVE-2025-23006, which carries a CVSS score of 9.8. This attack chain enabled unauthenticated remote code execution with root privileges. CVE-2025-23006 was patched earlier in January 2025, but organizations that failed to apply updates remained vulnerable.
CISA also added a critical ASUS Live Update vulnerability, CVE-2025-59374, after confirming active exploitation. This flaw originated from a supply chain compromise linked to the infamous ShadowHammer campaign first uncovered in 2019. In that campaign, attackers trojanized ASUS Live Update packages to target specific devices using MAC address filtering. Although ASUS addressed the issue years ago, Live Update officially reached end of support in December 2025, increasing residual risk for unpatched systems.
Under Binding Operational Directive 22-01, federal civilian executive branch agencies are required to remediate these vulnerabilities within strict deadlines. CISA ordered agencies to patch Cisco and SonicWall flaws by December 24, 2025, and the ASUS vulnerability by January 7, 2025. Private sector organizations were strongly advised to review the KEV catalog and address affected assets without delay.
What Undercode Say:
This KEV update reflects a deeper and more uncomfortable trend in modern cyber operations. Attackers are no longer racing to discover unknown vulnerabilities. Instead, they are systematically exploiting known, high-impact flaws faster than organizations can respond. The Cisco campaign is especially revealing because it highlights how exposed management interfaces and misconfigured ports remain a persistent weak point, even in mature enterprise environments.
Root-level command execution combined with planted persistence mechanisms suggests attackers were preparing for long-term access, not smash-and-grab attacks. That elevates this activity from routine exploitation into the territory of strategic compromise, potentially for espionage, data exfiltration, or infrastructure manipulation.
The SonicWall case reinforces another critical lesson. Zero-day exploitation is increasingly chained, not isolated. Privilege escalation flaws become exponentially more dangerous when paired with remote execution vulnerabilities. Organizations that patched only part of the chain still faced total compromise. This pattern mirrors tactics used by advanced threat actors who prioritize reliability and impact over novelty.
The ASUS Live Update entry is perhaps the most sobering. Supply chain compromises do not expire when vendors issue fixes. Legacy systems, end-of-life software, and forgotten update mechanisms continue to function as latent attack surfaces. ShadowHammer was never just a historical incident. It became a blueprint for modern supply chain abuse, and its echoes remain visible years later.
CISA’s aggressive deadlines signal urgency, but they also expose a gap between policy and operational reality. Many organizations still struggle with asset visibility, patch prioritization, and downtime constraints. The KEV catalog is no longer a compliance checklist. It has effectively become a live threat intelligence feed, and ignoring it is a strategic failure.
From a defensive perspective, this update underscores the importance of exposure management over vulnerability volume. Internet-facing appliances, management consoles, and update mechanisms deserve priority treatment regardless of their perceived criticality. Attackers have already made that calculation, and they are consistently choosing the fastest path to root access.
Fact Checker Results
✅ CISA officially added Cisco, SonicWall, and ASUS vulnerabilities to the KEV catalog.
✅ Active exploitation of CVE-2025-20393, CVE-2025-40602, and CVE-2025-59374 has been confirmed.
❌ No public attribution has been made regarding the threat actors behind these campaigns.
Prediction
📊 Expect increased scanning and automated exploitation attempts against unpatched Cisco and SonicWall appliances as KEV awareness spreads.
📊 Supply chain attack techniques will continue resurfacing through legacy update mechanisms and end-of-life software.
📊 Regulatory pressure around KEV compliance will intensify, especially for critical infrastructure and federal contractors.
▶️ Related Video (82% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
