US CERT Current Activity
Updated Guidance on Play Ransomware
Jun 4, 2025
CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued an updated advisory on Play ransomware, also known as Playcrypt. This advisory highlights new tactics, techniques, and procedures used by the Play ransomware group and provides updated indicators of compromise (IOCs) to enhance threat detection. Since June 2022, Playcrypt has targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025. Recommended mitigations include: Implementing multifactor authentication; Maintaining offline data backups; Developing and testing a recovery plan; and Keeping all operating systems, software, and firmware updated. Stay vigilant and take proactive measures to protect your organization.
CISA Releases Three Industrial Control Systems Advisories
Jun 3, 2025
CISA released three Industrial Control Systems (ICS) advisories on June 3, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-153-01 Schneider Electric Wiser Home Automation ICSA-25-153-02 Schneider Electric EcoStruxure Power Build Rapsody ICSA-25-153-03 Mitsubishi Electric MELSEC iQ-F Series CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Adds Three Known Exploited Vulnerabilities to Catalog
Jun 3, 2025
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-21479 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Adds Five Known Exploited Vulnerabilities to Catalog
Jun 2, 2025
CISA added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability CVE-2024-56145 Craft CMS Code Injection Vulnerability CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. Please share your thoughts with us through our anonymous survey. We appreciate your feedback.
CISA Releases Five Industrial Control Systems Advisories
May 29, 2025
CISA released five Industrial Control Systems (ICS) advisories on May 29, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-148-01 Siemens SiPass ICSA-25-148-02 Siemens SiPass Integrated ICSA-25-148-03 Consilium Safety CS5000 Fire Panel ICSA-25-148-04 Instantel Micromate ICSMA-25-148-01 Santesoft Sante DICOM Viewer Pro CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Releases One Industrial Control Systems Advisory
May 27, 2025
CISA released one Industrial Control Systems (ICS) advisory on May 27, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-146-01 Johnson Controls iSTAR Configuration Utility (ICU) Tool CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
New Guidance for SIEM and SOAR Implementation
May 27, 2025
Today, CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international and U.S. partners, released new guidance for organizations seeking to procure Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms. This guidance includes the following three resources: Implementing SIEM and SOAR Platforms – Executive Guidance outlines how executives can enhance their organization’s cybersecurity framework by implementing these technologies to improve visibility into network activities, enabling swift detection and response to cyber threats. Implementing SIEM and SOAR Platforms – Practitioner Guidance focuses on how practitioners can quickly identify and respond to potential cybersecurity threats and leverage these technologies to streamline incident response processes by automating predefined actions based on detected anomalies. Priority Logs for SIEM Ingestion – Practitioner Guidance offers insights for prioritizing log ingestion into a SIEM, ensuring that critical data sources are effectively collected and analyzed to enhance threat detection and incident response capabilities tailored for organizations. CISA encourages organizations to review this guidance and implement the recommended best practices to strengthen their cybersecurity. For access to the guidance documents, please visit CISA’s SIEM and SOAR Resource page.
Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic)
May 22, 2025
Commvault is monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment. Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault. See the following resource for more information: Notice: Security Advisory (Update). CISA believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions. CISA urges users and administrators to review the following mitigations and apply necessary patches and updates for all systems: Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals. Handle deviations from regular login schedules as suspicious. For more information, see NSA and CISA’s Identity Management guidance, as well as CISA’s guidance on Identity, Credential, and Access Management (ICAM) Reference Architecture. Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting in alignment with documented organizational incident response polices. (Applies to single tenant apps only) Implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault’s allowlisted range of IP addresses. Note: A Microsoft Entra Workload ID Premium License is required to apply conditional access policies to an application service principal and is available to customers at an additional cost.[1] For certain Commvault customers, rotate their application secrets, rotate those credentials on Commvault Metallic applications and service principles available between February and May 2025.[2] Note: This mitigation only applies to a limited number of customers who themselves have control over Commvault’s application secrets. Customers who have the ability to, if applicable, should establish a policy to regularly rotate credentials at least every 30 days. Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need. Implement general M365 security recommendations outlined in CISA’s Secure Cloud Business Applications (SCuBA) Project. Precautionary Recommendations for On-premises Software Versions Where technically feasible, restrict access to Commvault management interfaces to trusted networks and administrative systems. Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications [CSA-250502]. Apply the patches provided [3] and follow these best practices [4]. Especially monitor activity from unexpected directories, particularly web-accessible paths. CISA added CVE-2025-3928 to the Known Exploited Vulnerabilities Catalog and is continuing to investigate the malicious activity in collaboration with partner organizations. References [1] Workload identities - Microsoft Entra Workload ID | Microsoft Learn [2] Change a Client Secret for the Azure App for OneDrive for Business [3] CV_2025_03_1: Critical Webserver Vulnerability [4] Best Practice Guide: Enhancing Security with Conditional Access and Sign-In Monitoring Additional Resources Get servicePrincipal – Microsoft Graph v1.0 | Microsoft Learn Updated Best Practices in Security for Azure Apps Configuration to Protect M365, D365 or EntraID Workload | Commvault Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.
CISA Adds One Known Exploited Vulnerability to Catalog
May 22, 2025
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Two Industrial Control Systems Advisories
May 22, 2025
CISA released two Industrial Control Systems (ICS) advisories on May 22, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-142-01 Lantronix Device Installer ICSA-25-142-02 Rockwell Automation FactoryTalk Historian ThingWorx CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
New Best Practices Guide for Securing AI Data Released
May 22, 2025
Today, CISA, the National Security Agency, the Federal Bureau of Investigation, and international partners released a joint Cybersecurity Information Sheet on AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems. This information sheet highlights the critical role of data security in ensuring the accuracy, integrity, and trustworthiness of AI outcomes. It outlines key risks that may arise from data security and integrity issues across all phases of the AI lifecycle, from development and testing to deployment and operation. Defense Industrial Bases, National Security Systems owners, federal agencies, and Critical Infrastructure owners and operators are encouraged to review this information sheet and implement the recommended best practices and mitigation strategies to protect sensitive, proprietary, and mission critical data in AI-enabled and machine learning systems. These include adopting robust data protection measures; proactively managing risks; and strengthening monitoring, threat detection, and network defense capabilities. As AI systems become more integrated into essential operations, organizations must remain vigilant and take deliberate steps to secure the data that powers them. For more information on securing AI data, see CISA’s Artificial Intelligence webpage.
Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware
May 21, 2025
Today, CISA and the Federal Bureau of Investigation released a joint Cybersecurity Advisory, LummaC2 Malware Targeting U.S. Critical Infrastructure Sectors. This advisory details the tactics, techniques, and procedures, and indicators of compromise (IOCs) linked to threat actors deploying LummaC2 malware. This malware poses a serious threat, capable of infiltrating networks and exfiltrating sensitive information, to vulnerable individuals’ and organizations’ computer networks across U.S. critical infrastructure sectors. As recently as May 2025, threat actors have been observed using LummaC2 malware, underscoring the ongoing threat. The advisory includes IOCs tied to infections from November 2023 through May 2025. Organizations are strongly urged to review the advisory and implement the recommended mitigations to reduce exposure and impact.
Russian GRU Cyber Actors Targeting Western Logistics Entities and Tech Companies
May 21, 2025
Today, CISA, the National Security Agency, the Federal Bureau of Investigation, and other U.S. and international partners released a joint Cybersecurity Advisory, Russian GRU Targeting Western Logistics Entities and Technology Companies. This advisory details a Russian state-sponsored cyber espionage-oriented campaign targeting technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, military unit 26165 cyber actors are using a mix of previously disclosed tactics, techniques, and procedures (TTPs) and are likely connected to these actors’ widescale targeting of IP cameras in Ukraine and bordering NATO nations. Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of until 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise, and posture network defenses with a presumption of targeting. For more information on Russian state-sponsored threat actor activity, see CISA’s Russia Cyber Threat Overview and Advisories page.
CISA Releases Thirteen Industrial Control Systems Advisories
May 20, 2025
CISA released thirteen Industrial Control Systems (ICS) advisories on May 20, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-140-01 ABUP IoT Cloud Platform ICSA-25-140-02 National Instruments Circuit Design Suite ICSA-25-140-03 Danfoss AK-SM 8xxA Series ICSA-25-140-04 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products ICSA-25-140-05 Siemens Siveillance Video ICSA-25-140-06 Schneider Electric PrismaSeT Active - Wireless Panel Server ICSA-25-140-07 Schneider Electric Galaxy VS, Galaxy VL, Galaxy VXL ICSA-25-140-08 Schneider Electric Modicon Controllers ICSA-25-140-09 AutomationDirect MB-Gateway ICSA-25-140-10 Vertiv Liebert RDU101 and UNITY ICSA-25-140-11 Assured Telematics Inc (ATI) Fleet Management System with Geotab Integration ICSA-25-037-01 Schneider Electric EcoStruxure Power Monitoring Expert (PME) (Update B) ICSA-25-023-05 Schneider Electric EcoStruxure Power Build Rapsody (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Adds Six Known Exploited Vulnerabilities to Catalog
May 19, 2025
CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Adds Three Known Exploited Vulnerabilities to Catalog
May 15, 2025
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability CVE-2025-4664 Google Chromium Loader Insufficient Policy Enforcement Vulnerability CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Twenty-Two Industrial Control Systems Advisories
May 15, 2025
CISA released twenty-two Industrial Control Systems (ICS) advisories on May 15, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-135-01 Siemens RUGGEDCOM APE1808 Devices ICSA-25-135-02 Siemens INTRALOG WMS ICSA-25-135-03 Siemens BACnet ATEC Devices ICSA-25-135-04 Siemens Desigo ICSA-25-135-05 Siemens SIPROTEC and SICAM ICSA-25-135-06 Siemens Teamcenter Visualization ICSA-25-135-07 Siemens IPC RS-828A ICSA-25-135-08 Siemens VersiCharge AC Series EV Chargers ICSA-25-135-09 Siemens User Management Component (UMC) ICSA-25-135-10 Siemens OZW Web Servers ICSA-25-135-11 Siemens Polarion ICSA-25-135-12 Siemens SIMATIC PCS neo ICSA-25-135-13 Siemens SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems ICSA-25-135-14 Siemens APOGEE PXC and TALON TC Series ICSA-25-135-15 Siemens Mendix OIDC SSOICSA-25-135-16 Siemens MS/TP Point Pickup Module ICSA-25-135-16 Siemens MS/TP Point Pickup Module ICSA-25-135-17 Siemens RUGGEDCOM ROX II ICSA-25-135-18 Siemens SCALANCE LPE9403 ICSA-25-135-19 ECOVACS DEEBOT Vacuum and Base Station ICSA-25-135-20 Schneider Electric EcoStruxure Power Build Rapsody ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update C) ICSA-24-200-01 Mitsubishi Electric MELSOFT MaiLab and MELSOFT VIXIO (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Adds One Known Exploited Vulnerability to Catalog
May 14, 2025
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Adds Five Known Exploited Vulnerabilities to Catalog
May 13, 2025
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Update to How CISA Shares Cyber-Related Alerts and Notifications
May 12, 2025
Starting May 12, CISA is changing how we announce cybersecurity updates and the release of new guidance. These announcements will only be shared through CISA social media platforms, email, and RSS feeds and will no longer be listed on our Cybersecurity Alerts & Advisories webpage. The focus of our Cybersecurity Alerts & Advisories webpage will now be on urgent information tied to emerging threats or major cyber activity. CISA wants this critical information to get the attention it deserves and ensure it is easier to find. We’ll continue to communicate releases and updates to our stakeholders. To stay informed, subscribe to receive our email notifications on CISA.gov. You can also follow us on X @CISACyber for timely cybersecurity updates. Note: If you’ve previously used RSS feeds to track Known Exploited Vulnerabilities Catalog updates, please subscribe to the KEV subscription topic through GovDelivery to continue receiving notifications. We greatly appreciate stakeholder feedback which played a part in this change and thank you for staying connected with CISA.