Pierluigi Paganini March 14, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple products and Juniper Junos OS flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2025-21590 Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability
• CVE-2025-24201 Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability

The vulnerability CVE-2025-21590 is an Improper Isolation or Compartmentalization issue in the kernel of Juniper Networks Junos OS that allows a local attacker with high privileges to compromise the integrity of the device. A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device. The vendor states that the flaw is not exploitable from the Junos CLI.

This week, Mandiant researchers warned that China-linked APT group UNC3886 is deploying custom backdoors on Juniper Networks Junos OS MX routers.

The group’s latest operation on Juniper Networks’ Junos OS routers demonstrates a deep knowledge of system internals. UNC3886 prioritizes stealth by using passive backdoors and tampering with logs and forensic artifacts to ensure long-term persistence while evading detection.

Mandiant observed UNC3886 using compromised credentials to access Junos OS CLI from terminal servers managing network devices, escalating to FreeBSD shell mode. Junos OS includes a Verified Exec (veriexec) subsystem, adapted from NetBSD Veriexec, to ensure file integrity by preventing unauthorized code execution, including binaries, libraries, and scripts. To deploy malware, the threat actor had to first bypass this security mechanism. UNC3886 bypassed it by injecting malicious code into trusted processes. This allowed them to install six TinyShell-based backdoors named appid, to, irad, jdosd, oemd, and lmpad. Each backdoor was designed for remote access, persistence, and stealth, enabling attackers to evade detection and maintain long-term control.

“Veriexec protection prevents unauthorized binaries from executing. This poses a challenge for threat actors, as disabling veriexec can trigger alerts. However, execution of untrusted code is still possible if it occurs within the context of a trusted process. Mandiant’s investigation revealed that UNC3886 was able to circumvent this protection by injecting malicious code into the memory of a legitimate process.” reads the report published by Mandiant “This specific technique is now tracked as CVE-2025-21590, as detailed in Juniper Network’s security bulletin JSA93446.”

The second flaw added to the KeV catalog is CVE-2025-24201. This week Apple released emergency security updates to address a zero-day vulnerability, tracked as CVE-2025-24201, in the WebKit cross-platform web browser engine.

The vulnerability is an out-of-bounds write issue that was exploited in “extremely sophisticated” attacks.

An attacker can exploit the vulnerability using maliciously crafted web content to escape the Web Content sandbox. Apple released this fix as an additional measure after blocking a similar attack in iOS 17.2.

“Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.)” reads the advisory published by the company.

The company addressed this vulnerability with improved checks. Apple released iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1 to address the zero-day.

The flaw impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, Macs running macOS Sequoia, and Apple Vision Pro.

Apple did not disclose details about the attacks or attribute them to any threat actor.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 3, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)