Critical Vulnerabilities in Apple iOS, Craft CMS, and Laravel Livewire (CVE‑2025‑31277) Added to CISA KEV Catalog – Urgent Patch Required
What It Is – CISA has placed five newly‑identified flaws affecting Apple’s operating system, the Craft CMS platform, and the Laravel Livewire PHP framework into its Known Exploited Vulnerabilities (KEV) list. The most severe, CVE‑2025‑31277, scores 8.8 (CVSS) and is actively exploited in the wild.
Exploitability – Active exploitation confirmed; proof‑of‑concept code has been observed in underground forums. CVSS 8.8 (High) for the Apple flaw; the other four CVEs range from 7.2‑8.3 and are also being weaponized.
Affected Products –
- Apple iOS/macOS (specific component undisclosed in the advisory)
- Craft CMS 3.x‑4.x
- Laravel Livewire 2.x‑3.x
TPRM Impact – Third‑party vendors that embed these components in SaaS offerings, mobile apps, or web portals inherit the same exposure. A breach in a downstream supplier could cascade to federal and commercial customers, amplifying supply‑chain risk.
Recommended Actions –
- Inventory all assets that run the affected Apple OS versions, Craft CMS installations, or Laravel Livewire libraries.
- Prioritize patching of Apple devices (CVE‑2025‑31277) before the CISA deadline of 3 April 2026.
- Apply vendor‑released updates for Craft CMS and Laravel Livewire immediately; verify version compliance.
- Conduct temporary mitigations (e.g., disable vulnerable APIs, enforce strict input validation) if patches cannot be applied within the window.
- Update third‑party risk registers to reflect the new KEV status and communicate remediation timelines to affected partners.
Source: The Hacker News