The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a fresh warning after adding two high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed evidence of in-the-wild attacks. The critical flaws impact Erlang’s OTP SSH server and the Roundcube webmail platform.
CVE-2025-32433 (CVSS score of 10.0 affects the Erlang/OTP SSH server. Due to missing authentication in a critical server function, unauthorized remote attackers were able to execute arbitrary commands. Given Erlang’s presence in telecom systems and backend infrastructure, the flaw poses a big risk.
Administrators are urged to upgrade to OTP versions 27.3.3, 26.2.5.11, or 25.3.2.20.
CVE-2024-42009, rated 9.3, is a stored cross-site scripting (XSS) vulnerability in Roundcube Webmail. It lets remote attackers craft emails that, when viewed, execute scripts in a user’s browser, potentially stealing emails, credentials, and contact data. The flaw, patched in Roundcube versions 1.6.8 and 1.5.8, has reportedly been used in recent phishing campaigns targeting Eastern European government and defense sectors.
CISA’s directive requires all Federal Civilian Executive Branch (FCEB) agencies to patch these vulnerabilities by June 30, 2025.
Private sectors are advised to follow suit, as these attacks are known to be exploited by advanced threat actors. This event highlights growing concerns about how threat actors are taking advantage of blind spots in open-source frameworks. Security experts are advising firms to upgrade impacted systems immediately, audit external exposure, and monitor and strengthen email rendering guidelines.
