Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of flaws is as follows - CVE-2014-3931 (CVSS score: 9.8) - A buffer overflow vulnerability in Multi-Router Looking Glass (MRLG) that could allow remote attackers to cause an
Analysis Summary
The provided article mentions four vulnerabilities added to the CISA KEV catalog, as well as details on two separate, actively exploited Citrix vulnerabilities. Since the request asks to structure the summary based on the vulnerabilities explicitly detailed in the source text, I will summarize all six findings.
# Vulnerability: Multiple Critical Vulnerabilities Added to CISA KEV Catalog & Citrix NetScaler Flaws
## CVE Details
| CVE ID | CVSS Score | Severity |
| :--- | :--- | :--- |
| **CVE-2014-3931** | 9.8 | Critical |
| **CVE-2016-10033** | 9.8 | Critical |
| **CVE-2019-5418** | 7.5 | High |
| **CVE-2019-9621** | 7.5 | High |
| **CVE-2025-5777** (Citrix Bleed 2) | N/A (Assessed as Critical) | Critical |
| **CVE-2025-6543** | N/A (Mentioned as exploited) | N/A |
- CWE: Information not explicitly listed for all, but inferred from description (e.g., Buffer Overflow, Command Injection, Path Traversal, SSRF).
## Affected Systems
- **CVE-2014-3931:** Multi-Router Looking Glass (MRLG)
- **CVE-2016-10033:** PHPMailer
- **CVE-2019-5418:** Ruby on Rails' Action View
- **CVE-2019-9621:** Zimbra Collaboration Suite
- **CVE-2025-5777 & CVE-2025-6543:** Citrix NetScaler ADC
- **Versions:** Not specified in detail for the KEV additions, aside from the product category.
- **Configurations:** Not specified.
## Vulnerability Description
* **CVE-2014-3931 (MRLG):** A buffer overflow vulnerability allowing remote attackers to cause arbitrary memory write and memory corruption.
* **CVE-2016-10033 (PHPMailer):** A command injection vulnerability leading to arbitrary code execution or Denial of Service (DoS).
* **CVE-2019-5418 (Ruby on Rails Action View):** A path traversal vulnerability that could expose the contents of arbitrary files on the target system.
* **CVE-2019-9621 (Zimbra):** Server-Side Request Forgery (SSRF) that could result in unauthorized access to internal resources and remote code execution.
* **CVE-2025-5777 (Citrix Bleed 2):** A critical memory disclosure flaw allowing attackers to read memory, potentially exposing sensitive information, credentials, and valid Citrix session tokens. Exploitation observed targeting the `/p/u/doAuthentication.do` endpoint.
* **CVE-2025-6543:** Mentioned alongside CVE-2025-5777 as being actively exploited (details not provided).
## Exploitation
- **Status:**
- **CVE-2014-3931, CVE-2016-10033, CVE-2019-5418:** Active exploitation reported (Added to KEV catalog), but no specific real-world exploitation details provided.
- **CVE-2019-9621:** Actively exploited in the wild by China-linked threat actor Earth Lusca (since September 2023) to deploy web shells and Cobalt Strike.
- **CVE-2025-5777 & CVE-2025-6543:** Active exploitation confirmed in the wild.
- **Complexity:** Not explicitly stated, but High CVSS scores suggest potential for low complexity exploitation for the first three.
- **Attack Vector:** Likely Network for most, as they are associated with network services (MRLG, PHPMailer, Zimbra, Citrix NetScaler).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2014-3931** | High (via memory corruption) | High (via arbitrary write) | High (via memory corruption) |
| **CVE-2016-10033** | High (via code execution) | High (via code execution) | High (via DoS) |
| **CVE-2019-5418** | High (File content exposure) | Low/Medium | Low/Medium |
| **CVE-2019-9621** | High (via RCE/internal access) | High (via RCE) | High (via RCE) |
| **CVE-2025-5777** | High (Sensitive info/tokens leaked) | Low | Low |
## Remediation
### Patches
- **KEV Additions:** Federal Civilian Executive Branch (FCEB) agencies are recommended to apply necessary updates by **July 28, 2025**. Specific vendor patch versions are not listed in the source text.
- **CVE-2025-5777 / CVE-2025-6543:** Implied that updates are available, as these were added to KEV, urging immediate action.
### Workarounds
- No specific workarounds are detailed in the article for the listed CVEs.
## Detection
- **Indicators of Compromise:**
- For CVE-2019-9621: Indicators related to web shell deployment and Cobalt Strike beacons associated with Earth Lusca activity.
- For CVE-2025-5777: Network traffic targeting the `/p/u/doAuthentication.do` endpoint with crafted login requests (though the vulnerability allows success or failure to illicitly reflect the input).
- **Detection Methods and Tools:** General security monitoring tools should be used to detect anomalous activity matching exploitation patterns for these flaws, especially for critical systems prioritized by CISA.
## References
- CISA Announcement: hxxps://www.cisa.gov/news-events/alerts/2025/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog
- WatchTowr Labs analysis (CVE-2025-5777): hxxps://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
- Horizon3.ai analysis (CVE-2025-5777): hxxps://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/