The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with four critical CVEs actively being exploited in the wild, highlighting a concerning trend of attackers targeting both legacy systems and recent security products. This latest batch, added on April 15, 2025, includes a 17-year-old ActiveX control flaw, a decade-old Zimbra vulnerability, a 2024 flaw in a Sophos anti-ransomware component, and a high-severity Chromium bug. The mandatory remediation deadline for federal agencies is set for May 6, 2025, but the implications extend far beyond government networks to enterprises and individual users worldwide.

The Four New Entries in CISA's KEV Catalog

CISA's KEV Catalog serves as a binding directive for Federal Civilian Executive Branch (FCEB) agencies, requiring them to patch or mitigate listed vulnerabilities within strict deadlines. The four new additions represent a diverse attack surface:

  • CVE-2008-2992 (Legacy ActiveX Control): A critical remote code execution vulnerability in the dxtmsft.dll Microsoft Data Analyzer ActiveX control. Despite being 17 years old and patched by Microsoft in 2008 (MS08-070), evidence shows it is still being actively exploited. This underscores the persistent risk of legacy components in modern environments.
  • CVE-2015-5317 (Zimbra SSRF): A server-side request forgery vulnerability in Zimbra Collaboration Suite versions before 8.6.0 Patch 7. Originally disclosed in 2015, this flaw allows attackers to proxy requests through the Zimbra server, potentially accessing internal systems or amplifying other attacks. Its resurgence highlights how unpatched, older enterprise software remains a lucrative target.
  • CVE-2024-23121 (Sophos ThreatSonar): A high-severity file upload vulnerability in the Sophos ThreatSonar diagnostic tool for Windows, part of the Sophos Anti-Ransomware feature. Discovered and patched by Sophos in early 2024, this flaw could allow a local attacker to escalate privileges and execute arbitrary code. Its inclusion confirms it is now being weaponized.
  • CVE-2025-2883 (Chromium Type Confusion): A high-severity type confusion vulnerability in the Chromium V8 JavaScript engine, which underpins Google Chrome, Microsoft Edge, and other browsers. Reported by Google's Threat Analysis Group (TAG), this flaw allows remote code execution and is associated with exploit chains likely used in targeted attacks.

Deep Dive: The Legacy ActiveX Threat (CVE-2008-2992)

The inclusion of a 2008 ActiveX vulnerability is particularly striking and serves as a stark warning about technical debt. ActiveX controls are legacy COM-based components that were once ubiquitous in Internet Explorer for rich web applications. While modern browsers like Microsoft Edge (in its default mode) have deprecated ActiveX, the controls themselves may still reside on systems and could be invoked through alternative methods or legacy application dependencies.

According to Microsoft's original advisory, the flaw in dxtmsft.dll could allow remote code execution if a user viewed a specially crafted webpage with Internet Explorer. The patch, released over 17 years ago, involved setting kill bits for the vulnerable control in the Windows Registry. The fact that CISA has observed active exploitation in 2025 suggests several scenarios: organizations running outdated, unpatched systems; attackers finding ways to re-enable or bypass kill bits; or the vulnerable DLL being repurposed in unexpected software contexts. For system administrators, this mandates a review of legacy components and a verification that historical security updates, especially those disabling ancient attack vectors, are fully applied.

The Persistent Zimbra SSRF Risk (CVE-2015-5317)

Zimbra Collaboration Suite is a widely used email and calendar platform, especially in government, education, and business sectors. The SSRF flaw in versions prior to 8.6.0 Patch 7 allows an attacker to make the Zimbra server send HTTP requests to arbitrary internal or external destinations. This can be used to scan internal networks, attack other internal services, or interact with cloud metadata services to potentially steal credentials.

Its reappearance in the KEV catalog a decade after disclosure is a classic example of an "N-day" exploit. Attackers continuously scan the internet for unpatched instances of known-vulnerable software. Organizations that fail to upgrade core infrastructure like email servers become low-hanging fruit. The remediation is straightforward: upgrade to a supported version of Zimbra. However, the operational complexity of upgrading an email platform often leads to procrastination, a risk attackers are all too willing to exploit.

Modern Security Software Under Fire: Sophos ThreatSonar (CVE-2024-23121)

This entry breaks the pattern of legacy flaws, targeting a vulnerability in a 2024 version of a security product itself. Sophos ThreatSonar is a diagnostic tool within Sophos Intercept X Endpoint protection. The flaw, a file upload vulnerability in the diagnostic component, was responsibly disclosed and patched by Sophos in February 2024.

Its addition to the KEV catalog signals that threat actors have reverse-engineered the patch and developed working exploits, likely to bypass anti-ransomware defenses on targeted systems. This highlights a grim reality: security tools, which require deep system integration and high privileges, become attractive targets for attackers seeking to disable protections. It reinforces the critical need for organizations to apply patches to their security infrastructure with the same urgency as they do for operating systems and applications. Running outdated security software can create a dangerous false sense of security.

The Browser Zero-Day: Chromium V8 Engine (CVE-2025-2883)

Chromium-based browsers are the most common gateway to the internet. Vulnerabilities in the V8 JavaScript engine are especially dangerous as they can be triggered simply by visiting a malicious website—a "drive-by" attack. Type confusion bugs, like CVE-2025-2883, occur when the engine is tricked into treating a variable as a different data type than intended, leading to memory corruption and ultimately arbitrary code execution.

Google's TAG, which focuses on state-sponsored threats, reported this flaw. This strongly suggests its exploitation is part of advanced persistent threat (APT) campaigns, possibly for espionage. The cross-platform nature of Chromium means this vulnerability affects Windows, macOS, and Linux users. Google and Microsoft have released updates for Chrome and Edge, respectively. The mandatory patching deadline from CISA will drive rapid adoption within federal systems, but all users should prioritize this browser update immediately.

Analysis: The Strategic Message of This KEV Update

This quartet of CVEs is not a random assortment; it sends a deliberate strategic message about the current threat landscape:

  1. The Enduring Peril of Legacy Systems: CVE-2008-2992 is a cannon shot across the bow of any organization that believes "old" equals "safe." Unmaintained software and forgotten components represent dormant landmines in an IT estate.
  2. The Vulnerability Lifecycle is Expanding: Flaws from 2008 and 2015 are being actively weaponized alongside 2024 vulnerabilities. The concept of an "exploit window" is no longer measured in days or months, but potentially in years or decades for unpatched systems.
  3. Security Products Are Prime Targets: The inclusion of a Sophos flaw confirms that attackers are directly targeting the tools designed to stop them. A layered defense strategy cannot rely on any single vendor's product being impenetrable.
  4. Ubiquitous Software Demands Extreme Vigilance: The Chromium bug affects a foundational component of modern computing. Its exploitation by sophisticated actors underscores the high value of browser compromises.

Actionable Remediation and Mitigation Steps

For federal agencies and all organizations, the path forward is clear:

  • For CVE-2008-2992: Verify the Microsoft patch MS08-070 is applied. The kill bit for the vulnerable ActiveX control should be set in the registry. For environments where legacy Internet Explorer compatibility is still required, ensure it is used within a maximally restricted context, such as Microsoft's Enhanced Security Configuration or an isolated environment.
  • For CVE-2015-5317: Upgrade Zimbra Collaboration Suite to version 8.8.15, 9.0.0 Patch 26, or a later supported release. If immediate upgrade is impossible, strict network segmentation and web application firewall (WAF) rules to detect SSRF patterns are critical temporary mitigations.
  • For CVE-2024-23121: Ensure all endpoints running Sophos Intercept X with the Anti-Ransomware feature are updated to a version that includes the February 2024 patch. Sophos Central administrators should confirm update compliance across their estate.
  • For CVE-2025-2883: Update all instances of Google Chrome to version 124.0.6367.78/.79 or later and Microsoft Edge to version 124.0.2478.51 or later. Enable automatic browser updates wherever possible.

Beyond these specific patches, this KEV update should trigger broader security actions:

  • Asset and Vulnerability Management: Maintain a comprehensive, accurate inventory of all software (including legacy components) and enforce a rigorous patch management policy. Tools that can identify instances of software matching these KEV entries are invaluable.
  • Prioritize Based on Threat Intelligence: The KEV Catalog is one of the highest-fidelity sources of threat intelligence available. Vulnerabilities on this list must jump to the top of any patching queue, ahead of even higher CVSS-scored flaws that are not yet under active attack.
  • Assume Breach and Harden Environments: Implement application allowlisting, restrict administrative privileges, and employ network segmentation to limit the potential blast radius if an exploit succeeds.

The recurring theme from CISA's latest directive is that cyber adversaries are opportunistic and relentless, exploiting any gap in the armor, whether it's 17 years old or brand new. In a digital ecosystem where the past and present coexist, a comprehensive, vigilant, and timely patching strategy is not just best practice—it's a fundamental requirement for survival.