CISA Includes TP-Link and WhatsApp Vulnerabilities in KEV Catalog Due to Ongoing Exploitation

September 3, 2025
Vulnerability / Mobile Security

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability affecting TP-Link TL-WA855RE Wi-Fi Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing signs of active exploitation. The vulnerability, identified as CVE-2020-24363 (CVSS score: 8.8), involves a missing authentication flaw that can be exploited to gain elevated access to the device. CISA noted that “this vulnerability could enable an unauthenticated attacker on the same network to send a TDDP_RESET POST request for a factory reset and reboot,” allowing them to establish incorrect access control by setting a new administrative password. According to malwrforensics, the issue has been addressed in firmware version TL-WA855RE(EU)_V5_200731. However, it’s important to mention that this product has reached end-of-life (EoL) status, making future patches or updates unlikely. Users of the Wi-Fi range extender are therefore advised to take caution.

CISA Includes TP-Link and WhatsApp Vulnerabilities in KEV Catalog Due to Ongoing Exploitation

On September 3, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of a critical security vulnerability related to TP-Link TL-WA855RE Wi-Fi Ranger Extenders to its Known Exploited Vulnerabilities (KEV) catalog. This decision comes in light of evidence indicating active exploitation of the flaw, which has been assigned the identifier CVE-2020-24363 and carries a CVSS score of 8.8.

The vulnerability arises from a failure to implement proper authentication, thereby allowing unauthorized access to affected devices. Specifically, an attacker connected to the same local network could exploit this weakness by sending a TDDP_RESET POST request. This would enable the attacker to perform a factory reset on the device and subsequently set a new administrative password, thus bypassing access controls. CISA’s advisory underscores the severity of this risk, highlighting the potential for unauthorized parties to gain significant control over the network.

According to malwrforensics, a fix is available in the firmware update TL-WA855RE(EU)_V5_200731. However, it is important to note that this particular model has reached end-of-life (EoL) status, which raises concerns about the availability of future patches or updates. Users of the Wi-Fi range extender should be aware that the risks associated with the vulnerability remain pertinent given the lack of ongoing support for the product.

In addition to the vulnerabilities identified with TP-Link, CISA also drew attention to security flaws impacting WhatsApp, further indicating a broader landscape of vulnerabilities that could be exploited by malicious actors. These developments emphasize the necessity for organizations to remain vigilant and proactive in addressing security weaknesses within their digital infrastructure.

The ongoing exploitation of these vulnerabilities suggests that adversarial tactics may include initial access methodologies, such as exploiting misconfigured devices or exploiting known vulnerabilities in software applications. Techniques related to privilege escalation are also relevant, as attackers aim to elevate their permissions and gain unauthorized control within organizational networks.

As businesses increasingly rely on interconnected devices for operations, the implications of such vulnerabilities underscore the critical importance of maintaining an updated cybersecurity posture. Employing rigorous security measures, including regular firmware updates and proactive monitoring for signs of compromise, is now more crucial than ever for organizations seeking to mitigate the risks posed by these evolving threats.

CISA’s inclusion of these vulnerabilities in its KEV catalog serves as a timely reminder of the ongoing threats within the cybersecurity landscape. It reinforces the imperative for business owners to prioritize their cybersecurity strategies, ensuring that they are equipped to defend against both known and emerging vulnerabilities.

Source link

Related Posts

Cloudflare Successfully Thwarts Unprecedented 11.5 Tbps DDoS Attack

Cloudflare announced on Tuesday that it effectively mitigated a record-breaking volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). In a recent post on X, the web infrastructure and security provider revealed, “In recent weeks, we’ve autonomously blocked numerous hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bbps and 11.5 Tbps.” The attack, primarily a UDP flood originating from Google Cloud, lasted only about 35 seconds, highlighting the company’s robust defense mechanisms at work. Volumetric DDoS attacks aim to overwhelm a target with excessive traffic, causing server slowdowns or failures, often resulting in network congestion, packet loss, and service disruptions. Typically, these attacks are executed using botnets controlled by threat actors.

Iranian Hackers Compromise Over 100 Embassy Email Accounts in Global Diplomat Phishing Campaign

Sep 03, 2025
Data Breach / Cyber Espionage

A group linked to Iran has been identified as the perpetrator of a “coordinated” and “multi-wave” spear-phishing campaign targeting embassies and consulates across Europe and beyond. Israeli cybersecurity firm Dream has attributed this activity to Iranian-aligned operators associated with a broader offensive cyber initiative known as Homeland Justice. “Phishing emails were sent to numerous government officials worldwide, masquerading as legitimate diplomatic correspondence,” the firm reported. “The evidence suggests a larger regional espionage strategy aimed at diplomatic and government institutions amid rising geopolitical tensions.” The attack tactics involve spear-phishing emails that reference geopolitical disputes between Iran and Israel, containing malicious Microsoft Word attachments that prompt recipients to “Enable Content” to execute embedded Visual Basic for Applications code.

Android Security Update: Google Addresses 120 Vulnerabilities, Including Two Actively Exploited Zero-Days

Sep 03, 2025
Mobile Security / Vulnerability

Google has released security updates for September 2025, patching 120 vulnerabilities in its Android operating system. Among these are two critical issues that have been confirmed as actively exploited in targeted attacks. The key vulnerabilities are:

  • CVE-2025-38352 (CVSS score: 7.4): A privilege escalation flaw in the Linux Kernel component.
  • CVE-2025-48543 (CVSS score: 7.4): A privilege escalation flaw in the Android Runtime component.

Both vulnerabilities allow for local privilege escalation without requiring additional execution privileges or user interaction. While Google has not detailed how these vulnerabilities are being exploited in the wild or if they are being leveraged together, they acknowledge signs of “limited, targeted exploitation.” Benoît Sevens from Google’s Threat Analysis Group (TAG) is credited with discovering and reporting these critical flaws.

Preventing Data Leaks Before They Strike

In January 2025, cybersecurity experts from Wiz Research uncovered a significant data leak at Chinese AI firm DeepSeek, which compromised over 1 million sensitive log streams. The researchers discovered a publicly accessible ClickHouse database associated with DeepSeek, granting potential full control over database operations and allowing access to internal data. This incident included more than a million lines of log streams containing chat histories, secret keys, and more. Wiz promptly notified DeepSeek, which took immediate action to secure the vulnerability. However, this event highlights the persistent risk of data leakage. Whether intentional or accidental, data leakage encompasses various scenarios, as defined by IBM, which describes it as the unintentional exposure of sensitive information to unauthorized parties. On the intentional side…