Key Takeaways
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Google Chromium and Sierra Wireless AirLink ALEOS flaws to its Known Exploited Vulnerabilities (KEV) catalog.
- The added flaws include CVE-2025-14174, a Google Chromium Out-of-Bounds Memory Access Vulnerability, and CVE-2018-4063, a Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability.
- These vulnerabilities can be exploited by remote attackers to perform out-of-bounds memory access, upload and execute malicious code, and potentially gain arbitrary code execution.
- CISA has ordered federal agencies to fix the vulnerabilities by January 2nd, 2026, and recommends that private organizations review the catalog and address the vulnerabilities in their infrastructure.
Introduction to CISA’s Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new flaws to its Known Exploited Vulnerabilities (KEV) catalog, which includes vulnerabilities that are known to be exploited by threat actors in real-world attacks. The added flaws include CVE-2025-14174, a Google Chromium Out-of-Bounds Memory Access Vulnerability, and CVE-2018-4063, a Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability. These vulnerabilities can be exploited by remote attackers to gain unauthorized access, upload and execute malicious code, and potentially gain arbitrary code execution.
Details of the Google Chromium Vulnerability
CVE-2025-14174 is an out-of-bounds memory access vulnerability in the ANGLE graphics library, specifically its Metal renderer, which is used in Google Chrome on Mac. A remote attacker can exploit this flaw by crafting an HTML page that causes out-of-bounds memory access, leading to memory corruption, crashes, or potentially arbitrary code execution. Google has released security updates to fix this high-severity flaw, which is being exploited by threat actors in real-world attacks. The vulnerability is tracked as Chromium issue 466192044, and a related GitHub commit reveals that the bug lies in the incorrect calculation of buffer sizes using pixelsDepthPitch, derived from GL_UNPACK_IMAGE_HEIGHT.
Details of the Sierra Wireless AirLink ALEOS Vulnerability
CVE-2018-4063 is a remote code execution flaw in Sierra Wireless AirLink ES450 FW 4.9.3, which affects the upload.cgi component. An authenticated attacker can send a crafted HTTP request to upload and execute malicious code on the device’s web server. This vulnerability can be exploited by attackers to gain unauthorized access to the device and execute malicious code, potentially leading to further attacks. The vulnerability is considered high-severity and can be exploited by attackers to gain control of the device.
CISA’s Recommendations and Deadlines
According to the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. CISA has ordered federal agencies to fix the vulnerabilities by January 2nd, 2026. Additionally, experts recommend that private organizations review the catalog and address the vulnerabilities in their infrastructure to prevent potential attacks. It is essential for organizations to prioritize patching these vulnerabilities to prevent exploitation by threat actors.
Conclusion and Recommendations
In conclusion, the addition of Google Chromium and Sierra Wireless AirLink ALEOS flaws to CISA’s Known Exploited Vulnerabilities catalog highlights the importance of prioritizing patching and vulnerability management. Organizations should review the catalog and address the vulnerabilities in their infrastructure to prevent potential attacks. It is also essential to keep software and systems up-to-date with the latest security patches to prevent exploitation by threat actors. By prioritizing vulnerability management and patching, organizations can reduce the risk of cyber attacks and protect their networks and data.
