CISA Flags Critical Bugs in Apple, Craft CMS, and Laravel, Orders Remediation by April 3, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five actively exploited vulnerabilities affecting Apple products, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog, directing U.S. federal agencies to remediate the issues no later than April 3, 2026.

The newly listed vulnerabilities are as follows:

• CVE‑2025‑31277 (CVSS: 8.8)  A flaw in Apple WebKit that can lead to memory corruption when processing maliciously crafted web content. (Patched July 2025)
• CVE‑2025‑43510 (CVSS: 7.8)  A memory corruption issue in Apple’s kernel that allows a malicious application to trigger unintended changes in shared memory across processes. (Patched December 2025)
• CVE‑2025‑43520 (CVSS: 8.8)  Another Apple kernel memory corruption vulnerability that could permit a malicious application to crash systems or write to kernel memory. (Patched December 2025)
• CVE‑2025‑32432 (CVSS: 10.0)  A code injection flaw in Craft CMS that enables remote attackers to execute arbitrary code. (Patched April 2025)
• CVE‑2025‑54068 (CVSS: 9.8)  A Laravel Livewire code injection vulnerability that may allow unauthenticated attackers to achieve remote command execution under certain conditions. (Patched July 2025)

CISA’s decision to add the three Apple vulnerabilities follows findings from Google Threat Intelligence Group (GTIG), iVerify, and Lookout, which linked the flaws to an iOS exploit framework dubbed DarkSword. The exploit kit reportedly chains multiple vulnerabilities to deploy malware families such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, primarily for data exfiltration.

The Craft CMS vulnerability (CVE‑2025‑32432) is believed to have been exploited as a zero‑day since February 2025, according to Orange Cyberdefense SensePost. Subsequent activity attributed to a threat cluster known as Mimo (also referred to as Hezb) showed continued exploitation of the flaw to install cryptocurrency mining software and residential proxyware.

The final vulnerability on the list, CVE‑2025‑54068 in Laravel Livewire, was recently observed being exploited in campaigns attributed to the Iranian state‑aligned threat group MuddyWater, also known as Boggy Serpens, according to research from the Ctrl‑Alt‑Intel Threat Research team.

In a report released earlier this week, Palo Alto Networks Unit 42 highlighted MuddyWater’s sustained targeting of diplomatic entities and critical infrastructure sectors, including energy, maritime, and financial organizations across the Middle East and other strategically significant regions.

“Although social engineering remains central to the group’s operations, MuddyWater is increasingly demonstrating more advanced technical capabilities,” Unit 42 noted. “Its tooling now includes AI‑enhanced malware implants featuring anti‑analysis mechanisms designed to maintain long‑term persistence. This blend of deception and rapid tool development creates a particularly dangerous threat profile.”

Unit 42 also detailed the group’s use of a custom web‑based orchestration platform that supports large‑scale social engineering efforts by automating mass email campaigns while retaining fine‑grained control over sender identities and target lists.

The threat group is widely attributed to Iran’s Ministry of Intelligence and Security (MOIS) and is primarily focused on cyber espionage. However, it has also been linked to disruptive operations, including attacks against the Technion – Israel Institute of Technology, where it masqueraded as the DarkBit ransomware group.

One of MuddyWater’s defining tactics involves hijacking legitimate government and corporate email accounts to conduct spear‑phishing campaigns. By abusing trusted relationships, the group is able to bypass reputation‑based security controls and deliver malicious payloads more effectively.

Between August 16, 2025, and February 11, 2026, MuddyWater reportedly conducted a sustained, multi‑wave intrusion campaign against an unnamed national marine and energy organization in the United Arab Emirates. The campaign involved four separate attack phases and resulted in the deployment of multiple malware families, including GhostBackDoor and Nuso (HTTP_VIP). Other tools associated with the group include UDPGangster and LampoRAT (also known as CHAR).

“MuddyWater’s recent operations reflect a more mature and adaptive adversary,” Unit 42 concluded. “By combining proven techniques with improved persistence mechanisms and diversifying development efforts to include modern languages such as Rust and AI‑assisted workflows, the group has established redundant operational paths that support sustained, high‑tempo activity.”