# U.S. CISA Adds Apple Products and Microsoft Windows NTLM Flaws to Its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its list of known exploited vulnerabilities, targeting Apple products and a widespread issue with Microsoft's New Technology LAN Manager (NTLM). The addition highlights the ongoing threat landscape and the importance of timely patching to protect against sophisticated attacks.

### Apple Products: iOS and iPadOS Vulnerabilities

This week, Apple released out-of-band security updates to address two newly discovered vulnerabilities, tracked as CVE-2025-31200 and CVE-2025-31201. These vulnerabilities affected iOS, iPadOS, and macOS devices, with confirmed exploitation in a small number of "extremely sophisticated" attacks against iOS targets. While the exact nature of these attacks is not publicly disclosed by Apple, experts suggest that commercial surveillance vendors or nation-state actors might be behind the attacks.

Security patches are now available for the following Apple devices:

* iPhone XS and later * iPad Pro 13-inch and later * iPad Pro 13.9-inch 3rd generation and later * iPad Pro 11-inch 1st generation and later * iPad Air 3rd generation and later * iPad 7th generation and later * iPad mini 5th generation and later

### Microsoft Windows NTLM Hash Disclosure Spoofing Bug

The third vulnerability added to the KeV Catalog is a Windows NTLM hash disclosure spoofing bug, tracked as CVE-2025-24054. This flaw has a CVSS score of 6.5, indicating its significant impact on Windows systems.

NTLM (NT LAN Manager) is a suite of authentication protocols developed by Microsoft for authenticating users and computers in Windows environments. According to Microsoft, minimal interaction with a malicious file by a user could trigger this vulnerability. However, Check Point researchers have reported that the flaw has been actively exploited since March 19.

Attackers can exploit this vulnerability to leak NTLM hashes or user passwords and compromise systems. Despite Microsoft releasing a patch on March 11, threat actors had over a week to develop and deploy exploits before the vulnerability began to be actively abused.

### Targeted Campaigns

Check Point researchers have observed a targeted campaign that started around March 20–21, 2025, targeting government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.

### Action Required

The Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities requires federal agencies to address identified vulnerabilities by the due date to protect their networks against attacks exploiting these flaws. Experts recommend that private organizations review the catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by May 8, 2025. It is essential for all organizations to stay informed about known exploited vulnerabilities and take proactive measures to patch their systems before it's too late.

Stay safe online, and follow me on Twitter: @securityaffairs, Facebook, and Mastodon for the latest cybersecurity news and updates.