The Cybersecurity and Infrastructure Security Agency has added two more entries to its Known Exploited Vulnerabilities catalog, the list of bugs it says pose significant risk to the federal enterprise. Inclusion on the KEV means these flaws are being exploited in the wild and defenders should treat them as active threats, not hypothetical risks.
CISA tied the move to its Binding Operational Directive 22-01, which requires federal agencies to remediate KEV-listed bugs by set deadlines. The agency also urged private organizations to act quickly, warning that these vulnerabilities are common entry points for attackers and put both government and enterprise systems at risk.
TP-Link Wi-Fi Range Extender Vulnerability (CVE-2020-24363)
One of the additions is a high-severity bug in TP-Link’s TL-WA855RE Wi-Fi range extender. Tracked as CVE-2020-24363 and carrying a CVSS score of 8.8, the flaw stems from missing authentication in the device’s debug protocol. Left unpatched, it gives attackers a straightforward path to elevated access on the network.
TP-Link addressed the issue in firmware release TL-WA855RE(EU)_V5_200731, but that relief is limited. The extenders are now end-of-life, which means most units in circulation will never see the fix. That leaves many households and small businesses running gear that’s effectively frozen in a vulnerable state.
“The real issue is our workforce,” said Randolph Barr, Chief Information Security Officer at Cequence Security. “Employees working from home often turn to consumer extenders as a cheap and easy way to fix Wi-Fi dead zones. The problem is these devices usually ship with weak security, rarely get patched, and most users don’t think to replace them until they see a tangible benefit.”
Once hardware stops receiving updates, it becomes a permanent liability. Security experts recommend replacing outdated extenders rather than leaving them on the network as open doors.
WhatsApp & Apple Zero-Day Exploitation (CVE-2025-55177, CVE-2025-43300)
The second entry is a WhatsApp vulnerability tracked as CVE-2025-55177. On its own, the flaw carries a moderate CVSS score of 5.4, but it was recently used in a highly targeted spyware campaign. Attackers paired it with CVE-2025-43300, a zero-day in Apple’s ImageIO framework affecting iOS, iPadOS, and macOS, to achieve full device compromise.
“It is a moderate severity flaw on paper but is proven to be part of a sophisticated chain against high-value targets,” Jason Soroko, Senior Fellow at Sectigo. “The KEV listing signals that even flaws with modest CVSS scores can be dangerous when combined with other zero-days in commercial spyware operations.”
WhatsApp says fewer than 200 users were targeted, a small number that reflects how tightly focused these campaigns are.
The Bigger Picture: Legacy Devices and Supply Chain Risk
These two cases are very different but point to the same problem. Outdated consumer gear, like TP-Link’s end-of-life extenders, lingers in homes and small offices long after support ends, quietly widening the attack surface. At the same time, targeted campaigns against apps like WhatsApp show how attackers can weaponize trusted services that billions rely on every day.
For enterprises, the lesson is that exposure isn’t just about what’s in the data center. Employees working remotely may introduce vulnerable consumer devices into the mix, while attackers go after high-value apps on personal phones to reach their targets. Staying ahead means keeping tabs on what’s actually running in the environment, swapping out unsupported hardware, and patching aggressively when fixes are available.
Call to Action for Users and Enterprises
CISA’s message is simple. If you’re still running hardware that no longer receives updates, replace it. Unsupported devices like the TL-WA855RE will only grow riskier with time.
Keep your software current as well. Apply patches to apps and operating systems as they arrive, because attackers move quickly once an exploit is in circulation.
Finally, make a habit of checking CISA’s Known Exploited Vulnerabilities catalog. It’s a running list of what adversaries are actively using, and treating it as a to-do list for remediation is one of the most effective ways to cut off common attack paths.
