**U.S. CISA Adds Apple and Gladinet CentreStack and Triofox Flaws to its Known Exploited Vulnerabilities Catalog**

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Apple and Gladinet CentreStack and Triofox flaws to its Known Exploited Vulnerabilities (KEV) catalog, in a move aimed at strengthening the security posture of federal agencies and private organizations alike.

Last week, both Apple and Google released urgent security updates to address highly targeted attacks against an unknown number of users. These attacks leveraged zero-day vulnerabilities in their software, with nation-state actors and commercial spyware vendors believed to be behind the campaigns. The focus of these attacks appears to be on specific high-value individuals rather than mass exploitation.

Apple released updates for iPhones, iPads, Macs, and more, fixing two WebKit flaws (CVE-2025-14174, CVE-2025-43529) that are believed to have been exploited in targeted iOS 26 attacks. In a statement accompanying the update, Apple noted: "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26."

The first WebKit flaw, CVE-2025-43529, is a use-after-free vulnerability that occurs when WebKit mishandles memory. This can cause the component to continue accessing a portion of memory after it has already been freed, allowing an attacker to trigger this condition and potentially lead to application crashes or arbitrary code execution.

The issue affects Safari and any Apple or third-party applications that rely on WebKit to parse and render HTML across iOS, iPadOS, macOS, and related platforms. The second issue added to the catalog is CVE-2025-14611, a hardcoded cryptographic keys vulnerability in Gladinet CentreStack and Triofox.

In this case, fixed AES encryption keys are embedded directly in the software, allowing attackers to recover them and decrypt or manipulate protected data. This weak encryption can significantly reduce security when used on publicly exposed endpoints, as an unauthenticated attacker can exploit the issue with a specially crafted request to bypass protections and potentially achieve arbitrary local file inclusion.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have been ordered to address the identified vulnerabilities by January 5, 2026. Experts also recommend that private organizations review the Catalog and take steps to address the vulnerabilities in their infrastructure.

The addition of these flaws to the KEV catalog underscores the importance of prioritizing vulnerability remediation and emphasizes the need for continued vigilance against emerging threats. By staying informed about the latest security risks, federal agencies and private organizations can work together to strengthen their defenses and protect against potential attacks.

Stay up-to-date with the latest cybersecurity news and insights by following me on Twitter: @securityaffairs, Facebook, or Mastodon.