Active exploitation of TP-Link and WhatsApp vulnerabilities added to KEV catalog
Summary
Hide ▲
Show ▼
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog amid active exploitation. The flaws affect TP-Link TL-WA855RE Wi-Fi Ranger Extender products and WhatsApp. The TP-Link flaw (CVE-2020-24363) allows unauthenticated attackers on the same network to reset the device and gain administrative access. The WhatsApp flaw (CVE-2025-55177) was exploited in a targeted spyware campaign in conjunction with an Apple vulnerability (CVE-2025-43300). CISA has advised federal agencies to apply mitigations by September 23, 2025. The TP-Link product has reached end-of-life (EoL) status, meaning it will not receive further patches or updates. There are no reports of in-the-wild exploitation of CVE-2020-24363 prior to CISA’s warning, but proof-of-concept (PoC) exploit code has been publicly available since July 2020.
Timeline
-
03.09.2025 21:56 1 articles · 26d ago
CISA confirms TP-Link vulnerability exploitation and EoL status
CISA confirmed that the TP-Link vulnerability (CVE-2020-24363) has been exploited in attacks. The affected TP-Link TL-WA855RE Wi-Fi Ranger Extender product has reached end-of-life (EoL) status, meaning it will not receive further patches or updates. There are no reports of in-the-wild exploitation prior to CISA’s warning, but proof-of-concept (PoC) exploit code has been publicly available since July 2020.
Show sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack — www.securityweek.com — 03.09.2025 21:56
-
03.09.2025 08:09 2 articles · 26d ago
CISA adds TP-Link and WhatsApp vulnerabilities to KEV catalog
CISA added TP-Link TL-WA855RE Wi-Fi Ranger Extender (CVE-2020-24363) and WhatsApp (CVE-2025-55177) vulnerabilities to its KEV catalog due to active exploitation. The TP-Link flaw allows unauthenticated attackers to reset the device and gain administrative access. The WhatsApp flaw was exploited in a targeted spyware campaign in conjunction with an Apple vulnerability (CVE-2025-43300). CISA advised federal agencies to apply mitigations by September 23, 2025. The TP-Link product has reached end-of-life (EoL) status, meaning it will not receive further patches or updates.
Show sources
- CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation — thehackernews.com — 03.09.2025 08:09
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack — www.securityweek.com — 03.09.2025 21:56
Information Snippets
-
CVE-2020-24363 affects TP-Link TL-WA855RE Wi-Fi Ranger Extender products, allowing unauthenticated attackers to reset the device and gain administrative access.
First reported: 03.09.2025 08:092 sources, 2 articlesShow sources
- CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation — thehackernews.com — 03.09.2025 08:09
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack — www.securityweek.com — 03.09.2025 21:56
-
CVE-2025-55177 affects WhatsApp and was exploited in a targeted spyware campaign in conjunction with an Apple vulnerability (CVE-2025-43300).
First reported: 03.09.2025 08:091 source, 1 articleShow sources
- CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation — thehackernews.com — 03.09.2025 08:09
-
The TP-Link product has reached end-of-life (EoL) status, meaning it will not receive further patches or updates.
First reported: 03.09.2025 08:092 sources, 2 articlesShow sources
- CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation — thehackernews.com — 03.09.2025 08:09
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack — www.securityweek.com — 03.09.2025 21:56
-
CISA has not disclosed details on the scale or actors behind the active exploitation of CVE-2020-24363.
First reported: 03.09.2025 08:092 sources, 2 articlesShow sources
- CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation — thehackernews.com — 03.09.2025 08:09
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack — www.securityweek.com — 03.09.2025 21:56
-
Less than 200 WhatsApp users received in-app threat notifications indicating they may have been targeted in the spyware campaign.
First reported: 03.09.2025 08:091 source, 1 articleShow sources
- CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation — thehackernews.com — 03.09.2025 08:09
-
CVE-2020-24363 is a missing authentication vulnerability that allows unauthenticated attackers to send TDDP_RESET POST requests and reset the device.
First reported: 03.09.2025 21:561 source, 1 articleShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack — www.securityweek.com — 03.09.2025 21:56
-
The TP-Link TL-WA855RE extender is now marked as discontinued on the company’s website.
First reported: 03.09.2025 21:561 source, 1 articleShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack — www.securityweek.com — 03.09.2025 21:56
-
There are no reports of in-the-wild exploitation of CVE-2020-24363 prior to CISA’s warning, but proof-of-concept (PoC) exploit code has been publicly available since July 2020.
First reported: 03.09.2025 21:561 source, 1 articleShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack — www.securityweek.com — 03.09.2025 21:56
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Microsoft September 2025 Patch Tuesday addresses 81 vulnerabilities, including two zero-days
Microsoft's September 2025 Patch Tuesday addresses 80 vulnerabilities, including one publicly disclosed flaw and eight critical vulnerabilities. The updates fix a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also cover a critical flaw in Azure Networking and address a new lateral movement technique dubbed BitLockMove. Additionally, security updates have been released by multiple vendors, including Adobe, Cisco, Google, and others. The September 2025 update includes 38 elevation of privilege (EoP) vulnerabilities. The two zero-day vulnerabilities are CVE-2025-55234 in Windows SMB Server and CVE-2024-21907 in Microsoft SQL Server. The SMB vulnerability is exploited through relay attacks, while the SQL Server flaw involves improper handling of exceptional conditions in Newtonsoft.Json. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing to assess compatibility issues. The KB5065429 cumulative update for Windows 10 22H2 and 21H2 includes fourteen fixes or changes, addressing unexpected UAC prompts and severe lag and stuttering issues with NDI streaming software. The update enables auditing SMB client compatibility for SMB Server signing and SMB Server EPA, and includes an opt-in feature for administrators to allow outbound network traffic from Windows 10 devices. The September 2025 update includes 38 elevation of privilege (EoP) vulnerabilities. CVE-2025-55234 is an elevation of privilege vulnerability with a CVSS score of 8.8. CVE-2025-54918 in Windows NT LAN Manager (NTLM) is marked as critical and has a CVSS score of 8.8. CVE-2025-54111 and CVE-2025-54913 are EoP vulnerabilities in Windows UI XAML. CVE-2025-55232 in the Microsoft High Performance Compute (HPC) Pack has a CVSS score of 9.8. CVE-2025-54916 in Windows NTFS has a CVSS score of 7.8 and can be exploited through SMB or local parsing routines. Microsoft has released the final non-security preview update for Windows 10, version 22H2, which includes fixes for the out-of-box experience and SMBv1 protocol connectivity. The update improves the servicing stack, updating Windows 10 22H2 systems to build 19045.6396. The update includes fixes and quality improvements from the KB5065429 cumulative update, enabling support for IT administrators to deploy hardening measures for SMB. The update addresses an issue causing non-admin users to receive unexpected User Account Control (UAC) prompts and fixes delays or uneven audio and video performance issues with Network Device Interface (NDI) streaming. Microsoft will stop providing security updates for Windows 10 after October 14, 2025, and the Extended Security Updates (ESU) program is available for Windows 10 users to delay the switch to Windows 11. Individual customers in the European Economic Area (EEA) can enroll in the ESU program for free.
High-severity use-after-free flaw in Chrome's V8 JavaScript engine patched
Google has released Chrome 140 to address a high-severity use-after-free vulnerability in the V8 JavaScript engine. This flaw, tracked as CVE-2025-9864, could lead to remote code execution (RCE) if exploited. The update also fixes three medium-severity bugs in Chrome's Toolbar, Extensions, and Downloads components. Users are advised to update their browsers immediately. The vulnerability was reported by the Yandex Security Team. Google has not disclosed details about the flaw or paid a bug bounty for it, citing security reasons. The update is rolling out for Windows, macOS, and Linux.
HexStrike AI weaponized to exploit Citrix vulnerabilities
Threat actors have begun using HexStrike AI, an AI-driven security tool, to exploit recently disclosed Citrix vulnerabilities. HexStrike AI, designed for authorized red teaming and bug bounty hunting, has been repurposed to automate the exploitation of security flaws. This development highlights the rapid weaponization of AI tools by malicious actors, significantly reducing the time between vulnerability disclosure and exploitation. The exploitation attempts target three Citrix vulnerabilities disclosed last week. Threat actors are using HexStrike AI to identify and exploit vulnerable NetScaler instances, which are then offered for sale on dark web forums. This trend underscores the growing threat of AI-powered cyberattacks and the need for robust defensive measures. CheckPoint Research observed significant chatter on the dark web around HexStrike-AI, associated with the rapid weaponization of newly disclosed Citrix vulnerabilities, including CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Nearly 8,000 endpoints remain vulnerable to CVE-2025-7775 as of September 2, 2025, down from 28,000 the previous week. CheckPoint recommends defenders focus on early warning through threat intelligence, AI-driven defenses, and adaptive detection.
Two Android zero-day vulnerabilities exploited in targeted attacks
Google has released security updates for September 2025 to address 111 vulnerabilities in Android, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities, CVE-2025-38352 and CVE-2025-48543, allow for local privilege escalation without additional execution privileges or user interaction. The updates include two patch levels, 2025-09-01 and 2025-09-05, to provide flexibility for Android partners. The flaws affect the Linux Kernel and Android Runtime components. Google has not disclosed specific details about the attacks but has acknowledged limited, targeted exploitation. Benoît Sevens of Google's Threat Analysis Group (TAG) discovered the Linux Kernel flaw, suggesting it may have been used in targeted spyware attacks. The updates also address several other vulnerabilities, including remote code execution, privilege escalation, information disclosure, and denial-of-service issues in Framework and System components. The September 2025 update covers Android 13 through 16 and includes fixes for 27 Qualcomm components, bringing the total number of fixed flaws to 111. The September 2025 Android patches address 111 unique CVEs. The Linux kernel vulnerability (CVE-2025-38352) is a race condition related to POSIX CPU timers. The Android Runtime zero-day (CVE-2025-48543) is resolved in the 2025-09-01 security patch level. The 2025-09-05 security patch level fixes the Linux kernel bug and 51 other issues affecting various components. Google rolled out Pixel security updates resolving 23 vulnerabilities specific to Pixel devices. All vulnerabilities in the Android bulletin are resolved with updates to Wear OS, Pixel Watch, and Automotive OS.