CISA KEV Catalog: Actively Exploited Zero-Days in December 2025

The Cybersecurity and Infrastructure Security Agency (CISA) added several highly critical security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue in December 2025, all of which are already being exploited by threat actors. Google published an Android security bulletin on 1 December 2025 with more than 100 fixed vulnerabilities, including two zero-days that CISA added to the KEV catalogue on 2 December. Security researchers are simultaneously documenting active exploitation campaigns against Samsung devices, OpenPLC systems, and enterprise infrastructure. The remediation deadline of 19 December 2025 for federal agencies underlines the urgency.

Android Framework Zero-Days: CVE-2025-48572 and CVE-2025-48633

Both zero-days were classified by Google as being under limited, targeted exploitation. CVE-2025-48633 is an information disclosure vulnerability in the Android Framework that allows access to protected data without elevated permissions. CVE-2025-48572 is a privilege escalation vulnerability that lets attackers escalate from low-privileged contexts to system level. Both vulnerabilities are classified as High Severity.

The combination enables a dangerous attack chain: an attacker first uses CVE-2025-48633 for reconnaissance, then CVE-2025-48572 for privilege escalation to gain full device control. This methodology is typical of commercial spyware and state surveillance operations.

CISA ordered federal agencies to remediate these vulnerabilities by 19 December 2025. The deadline corresponds to the standard remediation timeframe for highly critical, actively exploited vulnerabilities under Binding Operational Directive (BOD) 22-01.

Samsung CVE-2025-21042: Remote Code Execution in libimagecodec

CVE-2025-21042 is an out-of-bounds write vulnerability (CWE-787) in the libimagecodec library on Samsung devices, enabling Remote Code Execution. Threat actors exploit this vulnerability to compromise devices by embedding crafted image files.

The exploitation campaign demonstrates a zero-click scenario: victims do not need to interact with the malicious content - simple delivery triggers device compromise in the background. No physical access or extensive user interaction is required.

The vulnerability enables comprehensive surveillance and data theft. CISA set the remediation deadline at 1 December 2025, leaving only three weeks for updates and protective measures. Samsung released a patch, but CISA documented continued active exploitation of unpatched devices in December 2025.

Critical Vulnerabilities in Enterprise Infrastructure

OpenPLC ScadaBR CVE-2021-26829 is a cross-site scripting vulnerability with a CVSS score of 5.4 that CISA added to the KEV catalogue based on confirmed active exploitation. The flaw affects versions up to 1.12.4 (Windows) and 0.9.1 (Linux) and allows attackers to inject malicious scripts into browsers.

The pro-Russian hacktivist group TwoNet targeted industrial control systems. The attack chain began with default credentials, followed by CVE-2021-26829 exploitation. The attackers carried out destructive actions: defacing the HMI login page, deleting connected PLC data sources, manipulating PLC setpoints, and disabling system logs. The entire attack took place within approximately 26 hours.

CISA ordered federal agencies to remediate this vulnerability by 19 December 2025.

Remediation Requirements and BOD 22-01 Compliance

Binding Operational Directive (BOD) 22-01 establishes non-negotiable remediation deadlines for federal agencies:

• Internet-exposed vulnerabilities: 15 calendar days from discovery
• Non-internet-exposed vulnerabilities: 25 calendar days from discovery

Agencies that miss these deadlines must document delays, implement compensating controls, or report system shutdown. Private organisations have adopted KEV-centric prioritisation as a baseline framework for vulnerability management, driven by cyber insurance policies, supply chain pressure, and empirical evidence that KEV-listed vulnerabilities represent the highest risks.

Exploitation Patterns and Threat Actor Activity

A striking feature of the December 2025 threat landscape is the dramatic acceleration between vulnerability disclosure and active weaponisation. In many cases, vulnerabilities show exploitation evidence on or before the CVE publication date. This "zero-day-like" exploitation pattern reflects AI-assisted exploit automation, widespread availability of proof-of-concept code, and organised threat actor operations that weaponise vulnerabilities within hours or days of disclosure.

Recommendations and Mitigation Strategies

Organisations must immediately:

1. Establish risk-based prioritisation: Designate all KEV-listed vulnerabilities as top remediation priorities with service level agreements of 2-3 weeks.
2. Patch internet-exposed systems: Immediate patching is required for Android Framework zero-days and Samsung CVE-2025-21042.
3. Implement compensating controls: Network segmentation, disabling of vulnerable functionality, enabling extended logging and monitoring, and forensic analysis of potentially compromised systems.
4. Conduct threat hunting: Mobile device management to enforce the latest security patches, scanning for suspicious remote access tools, and analysis of firewall rules, administrative accounts, and web server logs.
5. Implement defence-in-depth: Multi-factor authentication, IP restrictions, just-in-time access provisioning, network segmentation, and application-level firewalls.

Conclusion

The December 2025 vulnerability landscape demonstrates fundamental shifts in the nature of contemporary cyber threats, with sophisticated threat actors, including nation-states, commercial spyware vendors, and financially motivated cybercriminals, weaponising vulnerabilities within hours or days of disclosure. The CISA KEV catalogue has established itself as an authoritative source for vulnerability prioritisation and a foundation for effective risk management.

Organisations that do not adopt KEV-centric vulnerability management frameworks risk substantial compromise by threat actors actively exploiting known vulnerabilities in unpatched systems. The regulatory environment, embodied in BOD 22-01 requirements with 15-25-day remediation deadlines, reflects CISA's evidence-based assessment that traditional patch management approaches provide insufficient security posture.

Sources & References

• https://www.cyber.gc.ca/en/alerts-advisories/android-security-advisory-december-2025-monthly-rollup-av25-799
• https://thecyberexpress.com/cisa-warns-android-vulnerabilities-attacked/
• https://securityaffairs.com/185252/security/u-s-cisa-adds-android-framework-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• https://www.cybersecurityconnect.com.au/security/12968-pair-of-android-vulnerabilities-added-to-cisa-s-kev-catalog
• https://www.scworld.com/brief/old-openplc-scadabr-flaw-added-to-cisa-kev-after-hacktivist-attack

Summarised with the help of AI.