US-Cert Current Activity

CISA, in partnership with the Federal Bureau of Investigation (FBI), released Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. This advisory was crafted in response to active exploitation of vulnerabilities—CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities—in Ivanti Cloud Service Appliances (CSA) in September 2024.

CISA, and the use of trusted third-party incident response data, found that threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks.

CISA and FBI strongly encourage network administrators and defenders to upgrade to the latest supported version of Ivanti CSA and to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) provided in the advisory. All members of the cybersecurity community are also encouraged to visit CISA’s Known Exploited Vulnerabilities Catalog to help better manage vulnerabilities and keep pace with threat activity. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

CISA released three Industrial Control Systems (ICS) advisories on January 21, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-021-01 Traffic Alert and Collision Avoidance System (TCAS) II
• ICSA-25-021-02 Siemens SIMATIC S7-1200 CPUs
• ICSA-25-021-03 ZF Roll Stability Support Plus (RSSPlus)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

In partnership with the Federal Bureau of Investigation (FBI), CISA released an update to joint guidance Product Security Bad Practices in furtherance of CISA’s Secure by Design initiative. This updated guidance incorporates public comments CISA received in response to a Request for Information, adding additional bad practices, context regarding memory-safe languages, clarifying timelines for patching Known Exploited Vulnerabilities (KEVs), and other recommendations.

While this voluntary guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices.

CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA’s Secure by Design webpage or learn how to take CISA’s Secure by Design Pledge.

Today, CISA—in partnership with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA)—published Closing the Software Understanding Gap. This report urgently implores the U.S. government to take decisive and coordinated action.

 Software understanding refers to assessing software-controlled systems across all conditions. Mission owners and operators often lack adequate capabilities for software understanding because technology manufacturers build software that greatly outstrips the ability to understand it. This gap, along with the lack of secure by design software being created by technology manufacturers, can lead to the exploitation of software vulnerabilities.

 The U.S. government has engaged in activities that have paved the way toward improving software understanding, including research investments, mission agency initiatives, and policy actions. This report further explores the opportunity for enhanced coordination to strengthen technical foundations and progress towards a more vigorous understanding of software on a national scale. To learn more about development practices and principles that build cybersecurity into the design and manufacture of technology products, visit CISA’s Secure by Design webpage.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released twelve Industrial Control Systems (ICS) advisories on January 16, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-016-01 Siemens Mendix LDAP
• ICSA-25-016-02 Siemens Industrial Edge Management
• ICSA-25-016-03 Siemens Siveillance Video Camera
• ICSA-25-016-04 Siemens SIPROTEC 5 Products
• ICSA-25-016-05 Fuji Electric Alpha5 SMART
• ICSA-25-016-06 Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products
• ICSA-25-016-07 Hitachi Energy FOX61x Products
• ICSA-25-016-08 Schneider Electric Data Center Expert
   
• ICSA-24-058-01 Mitsubishi Electric Multiple Factory Automation Products (Update A)
• ICSA-25-010-03 Delta Electronics DRASimuCAD (Update A)
• ICSA-24-191-05 Johnson Controls Inc. Software House C●CURE 9000 (Update A)
• ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Today, CISA released the Microsoft Expanded Cloud Logs Implementation Playbook to help organizations get the most out of Microsoft’s newly introduced logs in Microsoft Purview Audit (Standard). This step-by-step guide enables technical personnel to better detect and defend against advanced intrusion techniques by operationalizing expanded cloud logs. 

The playbook details analytical methodologies tied to using these logs. Specifically, the playbook offers:

• An overview of the newly introduced logs in Microsoft Purview Audit (Standard) that enable organizations to conduct forensic and compliance investigations by accessing critical events (e.g., mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online). 
• A description of administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems. 
• A discussion of significant events in other M365 services, such as Teams. 

CISA encourages organizations to use the playbook to make newly available logs an actionable part of their enterprise cybersecurity operations. 

CISA has added four vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-55591 Fortinet FortiOS Authorization Bypass Vulnerability
• CVE-2025-21333 Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
• CVE-2025-21334 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
• CVE-2025-21335 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Adobe released security updates to address vulnerabilities in multiple Adobe software products including Adobe Photoshop, Animate, and Illustrator for iPad. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following Adobe Security Bulletin and apply necessary updates:

• Adobe Product Security Updates for January

Microsoft released security updates to address vulnerabilities in multiple Microsoft products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following and apply necessary updates:

• Microsoft Security Update Guide for January

Ivanti released security updates to address vulnerabilities in Ivanti Avalanche, Ivanti Application Control Engine, and Ivanti EPM. 

CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates:

• Ivanti Avalanche
• Ivanti Application Control Engine
• Ivanti EPM

Fortinet released security updates to address vulnerabilities in multiple Fortinet products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following and apply necessary updates:

• Fortinet Security Updates

CISA released four Industrial Control Systems (ICS) advisories on January 14, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-014-01 Hitachi Energy FOXMAN-UN
• ICSA-25-014-02 Schneider Electric Vijeo Designer
• ICSA-25-014-03 Schneider Electric EcoStruxure
• ICSA-25-014-04 Belledonne Communications Linphone-Desktop

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Today, CISA released the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet to foster operational collaboration among government, industry, and international partners and strengthen artificial intelligence (AI) cybersecurity. The playbook provides voluntary information-sharing processes that, if adopted, can help protect organizations from emerging AI threats. 

Specifically, the playbook:

• Facilitates collaboration between federal agencies, private industry, international partners, and other stakeholders to raise awareness of AI cybersecurity risks and improve the resilience of AI systems.
• Guides JCDC partners on how to voluntarily share information related to cybersecurity incidents and vulnerabilities associated with AI systems.
• Delineates information-sharing protections and mechanisms.
• Outlines CISA’s actions upon receiving shared information. 

CISA urges JCDC partners to integrate the playbook into their incident response and information-sharing processes, make iterative improvements as needed, and provide feedback to CISA through CISA.JCDC@cisa.dhs.gov.

Not a partner? Join JCDC to engage in synchronized cybersecurity planning, cyber defense, and response. Learn more by visiting CISA’s JCDC webpage and emailing CISA.JCDC@cisa.dhs.gov. 

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-12686 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
• CVE-2024-48365 Qlik Sense HTTP Tunneling Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Today, CISA—along with U.S. and international partners—released joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. As part of CISA’s Secure by Demand series, this guidance focuses on helping customers identify manufacturers dedicated to continuous improvement and achieving a better cost balance, as well as how Operational Technology (OT) owners and operators should integrate secure by design elements into their procurement process.

Critical infrastructure and industrial control systems are prime targets for cyberattacks. The authoring agencies warn that threat actors, when compromising OT components, target specific OT products rather than specific organizations. Many OT products are not designed and developed with Secure by Design principles and often have easily exploited weaknesses. When procuring products, OT owners and operators should select products from manufacturers who prioritize security elements identified in this guidance.

For more information on questions to consider during procurement discussions, see CISA’s Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem. To learn more about secure by design principles and practices, visit Secure by Design.

CISA released four Industrial Control Systems (ICS) advisories on January 10, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-010-01 Schneider Electric PowerChute Serial Shutdown
• ICSA-25-010-02 Schneider Electric Harmony HMI and Pro-face HMI Products
• ICSA-25-010-03 Delta Electronics DRASimuCAD
   
• ICSA-24-345-06 Rockwell Automation Arena (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Today, CISA released the Cybersecurity Performance Goals Adoption Report to highlight how adoption of Cybersecurity Performance Goals (CPGs) benefits our nation’s critical infrastructure sectors. Originally released in October 2022, CISA’s CPGs are voluntary practices that critical infrastructure owners can take to protect themselves against cyber threats. 

This report is based on analysis of 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service from Aug. 1, 2022, through Aug. 31, 2024. Data reveals that four critical infrastructure sectors are most impacted by CPG adoption: Healthcare and Public Health, Water and Wastewater Systems, Communications, and Government Services and Facilities. These four sectors have strong partnerships with CISA.

As CISA strengthens partnerships across all 16 critical infrastructure sectors, the agency hopes that CPG adoption will continue to expand. CISA urges critical infrastructure to learn more by visiting Cross-Sector Cybersecurity Performance Goals. 

Ivanti released security updates to address vulnerabilities (CVE-2025-0282, CVE-2025-0283) in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. A cyber threat actor could exploit CVE-2025-0282 to take control of an affected system.

CISA has added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CISA urges organizations to hunt for any malicious activity, report any positive findings to CISA, and review the following for more information:

• Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)

For all instances of Ivanti Connect Secure, Policy Secure, and ZTA Gateways, see the following steps for general hunting guidance:

1. Conduct threat hunting actions:  
   1. Run the In-Build Integrity Checker Tool (ICT). Instructions can be found here. 
   2. Conduct threat hunt actions on any systems connected to—or recently connected to—the affected Ivanti device.  
2. If threat hunting actions determine no compromise: 
   1. Factory reset the device and apply the patch described in Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283). 
   2. Monitor the authentication or identity management services that could be exposed. 
   3. Continue to audit privilege level access accounts. 
3. If threat hunting actions determine compromise: 
   1. Report to CISA and Ivanti immediately to start forensic investigation and incident response activities.  
   2. Disconnect instances of affected Ivanti Connect Secure products.  
   3. Isolate the systems from any enterprise resources to the greatest degree possible. 
   4. Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following: 
      1. Reset the admin enable password. 
      2. Reset stored application programming interface (API) keys. 
      3. Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).  
   5. If domain accounts associated with the affected products have been compromised: 
      1. Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments. 
      2. For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.
   6. After investigation, fully patch and restore system to service.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-0282 Ivanti Connect Secure Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA urges organizations to apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service

• Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)
• CISA Mitigation Instructions for CVE-2025-0282 

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.