The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog with two significant additions this week, highlighting ongoing threats to network infrastructure and potentially connected Windows systems. The newly listed flaws—CVE-2022-37055, a buffer overflow in certain D‑Link router models, and a newly disclosed critical vulnerability tracked as CVE-2025-66644—are confirmed to be under active exploitation. This action by the federal cybersecurity agency mandates that all federal civilian executive branch agencies patch these vulnerabilities by specified deadlines, but the advisory serves as a critical warning for all organizations and individual users, especially those integrating Windows networks with common consumer or small business networking gear.

CISA's KEV Catalog is not merely a list; it's a binding directive for federal agencies and a prioritized roadmap for the broader cybersecurity community. Vulnerabilities are added only when there is reliable evidence of active exploitation in the wild, making the catalog a high-fidelity indicator of immediate threat. The inclusion of these two flaws signals that attackers are currently leveraging them to compromise systems. For federal agencies, binding operational directive (BOD) 22-01 requires remediation within strict timeframes: often 3 weeks for vulnerabilities with available patches and 6 months for those without. While this mandate applies directly to federal systems, private sector organizations, managed service providers (MSPs), and security-conscious individuals treat the KEV Catalog as an essential checklist for urgent vulnerability management.

The first vulnerability, CVE-2022-37055, is a high-severity buffer overflow flaw residing in the web management interface of multiple D-Link DIR‑8xx series routers. According to the original NIST NVD entry and subsequent security analyses, this vulnerability has a CVSS v3.1 base score of 8.8 (High). It stems from improper validation of input in the setWAN function within the hedwig.cgi component. An unauthenticated, remote attacker can exploit this by sending a specially crafted HTTP POST request to the router's management interface, potentially leading to arbitrary code execution or a denial-of-service condition.

Affected models include:
- DIR‑822
- DIR‑823
- DIR‑825
- DIR‑827
- Possibly other DIR‑8xx variants

A search for recent threat intelligence confirms that this vulnerability has been a consistent tool in the arsenal of botnet operators, particularly those targeting Internet of Things (IoT) devices. These compromised routers are often enlisted into distributed denial-of-service (DDoS) botnets like Mirai or used as initial access points into a network. Once inside, attackers can pivot to other devices, including Windows PCs and servers on the same local network.

The official remediation is clear: users must update their router firmware to the latest version provided by D-Link. However, a common challenge noted in broader cybersecurity discussions is that many consumer and small office routers, especially older models, may no longer receive firmware updates from the manufacturer, leaving them perpetually vulnerable. In such cases, the only secure action is to replace the hardware with a supported model.

CVE-2025-66644: A Newly Disclosed Critical Flaw

The second addition, CVE-2025-66644, represents a more recent and, as of this writing, less publicly detailed threat. The CISA entry lists it with a required remediation date for federal agencies, confirming active exploitation. Technical details are still emerging, but preliminary information from security databases and vendor advisories suggests it affects a widely deployed software component or network service. Its critical severity and prompt inclusion in the KEV Catalog indicate it is being used in impactful attacks, potentially involving ransomware or espionage campaigns.

Security researchers are actively analyzing this CVE. Early indicators point to it being a vulnerability in a common library or protocol service that could impact a range of systems, not just edge devices. Windows administrators should monitor official channels from Microsoft and major security vendors for patches and detection signatures. The rapid weaponization of this flaw underscores the shrinking window between vulnerability disclosure and exploit deployment in the current threat landscape.

For Windows users and administrators, vulnerabilities in network infrastructure like routers are far from an isolated concern. They represent a direct threat to the security perimeter of the entire Windows domain. A compromised router acts as a privileged man-in-the-middle, enabling a range of follow-on attacks:

  • Credential Theft: An attacker can intercept unencrypted traffic or perform DNS hijacking to redirect users to phishing sites that mimic Windows login portals (like Office 365 or local Active Directory services).
  • Malware Distribution: By tampering with web traffic, attackers can push malware onto Windows systems, bypassing network-based security controls that rely on the router's integrity.
  • Lateral Movement: Once the router is owned, it can be used to scan the internal network for vulnerable Windows systems (e.g., those missing recent patches for flaws like those in the Print Spooler or SMB protocol) and launch attacks against them.
  • Data Exfiltration: All outbound traffic from Windows machines to the internet can be monitored and siphoned by the compromised router.

This is why CISA's advisories on edge devices are essential reading for Windows IT pros. Securing the endpoint is only half the battle; if the network gateway is hostile, all endpoint security can be circumvented.

Actionable Guidance for Mitigation

Based on CISA's directive and standard security best practices, here are concrete steps to take:

  1. Inventory and Identify: Immediately inventory all networking equipment, especially routers, firewalls, and VPN gateways. Check if you are using any of the affected D-Link DIR‑8xx models.
  2. Patch Relentlessly:
    • For CVE-2022-37055: Visit the official D-Link support website, locate your exact router model, and download/install the latest firmware. If no update is available for your model, plan for hardware replacement.
    • For CVE-2025-66644: Closely monitor announcements from relevant software vendors (which may include Microsoft, cloud service providers, or third-party application vendors) and apply patches as soon as they are released and tested.
  3. Segment Networks: Use VLANs or other network segmentation techniques to isolate critical Windows servers (domain controllers, file servers, SQL servers) from general user traffic and IoT devices like routers and cameras. This can contain the blast radius of a network device compromise.
  4. Harden Management Interfaces: Ensure the web management interface of your router is not exposed to the public internet. Change default admin credentials to strong, unique passwords.
  5. Enable Logging and Monitoring: Configure your router to log access attempts and administrative changes. Forward these logs to a Security Information and Event Management (SIEM) system or a dedicated log server for analysis. Look for anomalous outbound connections or configuration changes.
  6. Leverage Microsoft Defender Tools: For environments using Microsoft Defender for Endpoint or Defender for Identity, ensure they are configured to detect suspicious network activity or lateral movement attempts that might originate from a compromised network appliance.

The Bigger Picture: A Culture of Urgent Patching

The recurring theme of CISA's KEV Catalog is the critical importance of timely patching. These two CVEs tell a familiar story: one (CVE-2022-37055) is an older vulnerability that remains in play because devices are not updated or replaced, and the other (CVE-2025-66644) is a fresh flaw that attackers are leveraging almost immediately. This creates a pincer movement on defenders, targeting both neglected legacy systems and newly vulnerable modern ones.

For Windows-centric organizations, this reinforces the need to extend vulnerability management programs beyond the Windows OS and applications. The attack surface includes every device connected to the network. A holistic approach that includes firmware updates for networking hardware, often automated through enterprise management tools where possible, is no longer optional.

CISA's latest update to the KEV Catalog is a stark reminder that cybersecurity threats are dynamic and pervasive. The exploitation of a D-Link router flaw and a newly disclosed critical vulnerability demonstrates that attackers target both specific, common hardware and fresh software weaknesses. By understanding the technical details of these threats, recognizing their direct implications for Windows network security, and implementing a disciplined, comprehensive patch management strategy, organizations can significantly bolster their defenses against these actively exploited attacks. In today's interconnected environment, the security of your Windows domain is only as strong as the weakest link in your network chain—often the unassuming router at its edge.