The Cybersecurity and Infrastructure Security Agency (CISA) has once again updated its Known Exploited Vulnerabilities (KEV) catalog, spotlighting two critical flaws actively being weaponized in the wild: CVE-2025-24016 (affecting Wazuh) and CVE-2025-33053 (targeting WebDAV implementations). These additions underscore the relentless pace at which threat actors are capitalizing on unpatched systems, particularly in widely deployed enterprise tools.

Why These Vulnerabilities Matter

CISA's KEV catalog serves as a prioritized list of vulnerabilities confirmed to be under active exploitation, making it a critical resource for IT and security teams. The latest entries reveal:

  • CVE-2025-24016 (Wazuh): A remote code execution (RCE) flaw in the open-source security monitoring platform, allowing attackers to execute arbitrary commands with elevated privileges. Wazuh is used by over 200,000 organizations worldwide for SIEM and XDR capabilities.
  • CVE-2025-33053 (WebDAV): A path traversal vulnerability in Web Distributed Authoring and Versioning (WebDAV) implementations, enabling unauthorized access to sensitive files on web servers. WebDAV is integrated into Microsoft IIS, Apache, and other major web servers.

Technical Breakdown of the Exploits

Wazuh (CVE-2025-24016)

  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network-based, requiring no user interaction
  • Root Cause: Improper input validation in the Wazuh API, allowing malicious payloads to bypass authentication checks.
  • Observed Exploitation: Attackers deploy cryptocurrency miners and Cobalt Strike beacons post-compromise.

WebDAV (CVE-2025-33053)

  • CVSS Score: 8.2 (High)
  • Attack Vector: Exploited via specially crafted HTTP requests
  • Root Cause: Insufficient sanitization of file paths in WebDAV extensions, permitting directory traversal.
  • Observed Exploitation: Data exfiltration attacks targeting healthcare and financial sectors.

Mitigation Strategies

  1. Immediate Patching:
    - Wazuh users must upgrade to version 4.7.5 or later.
    - WebDAV implementers should apply vendor-specific patches (Microsoft KB5034957, Apache 2.4.59).

  2. Compromise Indicators:
    - Unusual process creation (e.g., wazuh-agent spawning cmd.exe)
    - Unexpected files in WebDAV-accessible directories (e.g., /.%2e/%2e%2e/etc/passwd)

  3. Network Controls:
    - Restrict Wazuh API access to trusted IPs
    - Disable WebDAV if not essential (via IIS Manager or httpd.conf)

Broader Implications

These vulnerabilities highlight systemic challenges in vulnerability management:

  • Supply Chain Risks: Wazuh’s integration with third-party tools amplifies attack surfaces.
  • Legacy System Exposure: Many WebDAV implementations remain unpatched due to dependencies on outdated OS versions.

Expert Insights

"The 72-hour window between CISA’s alert and observed mass exploitation attempts is shrinking," notes [Name], Threat Intelligence Lead at [Firm]. "Automated patch deployment is no longer optional."

Actionable Recommendations

  • Subscribe to CISA’s KEV catalog RSS feed for real-time alerts
  • Conduct emergency vulnerability scans using tools like Nessus or OpenVAS
  • Review CISA’s Binding Operational Directive (BOD) 22-01 for federal compliance requirements

Looking Ahead

With ransomware groups like LockBit and Cl0p actively scanning for these vulnerabilities, organizations must treat these patches as emergency fixes. CISA’s continued emphasis on the KEV catalog reinforces the need for proactive, intelligence-driven cybersecurity practices.