On July 7, the Cybersecurity and Infrastructure Security Agency (CISA) added four new entries to its Known Exploited Vulnerabilities (KEV) catalog. What stands out about the vulnerabilities isn’t the number, it’s the age. The oldest dates back to 2014, and all four are actively being exploited today.
The KEV catalog has become a go-to resource for identifying high-risk vulnerabilities with real-world consequences. CISA adds vulnerabilities to the catalog only when they’re confirmed to be actively exploited, making each entry a clear and immediate threat. That makes each new addition a signal to act, not just for federal agencies, but for anyone managing enterprise systems.
The Four Vulnerabilities Explained
The four vulnerabilities added to the KEV catalog affect a range of widely used technologies—from web infrastructure to email systems—and all carry the risk of remote code execution or data exposure.
- CVE-2014-3931 is a buffer overflow flaw in Multi-Router Looking Glass (MRLG) versions prior to 5.5.0. Found in the fastping.c file, it allows a remote attacker to crash the system or potentially execute arbitrary code. Though MRLG is a niche network diagnostic tool, its exposure to the internet in some setups makes it a target.
- CVE-2016-10033 affects PHPMailer, a popular open-source library used to send email from web applications. Versions before 5.2.18 fail to properly sanitize user input passed to the mail() function, opening the door to remote code execution through command injection.
- CVE-2019-5418 is a path traversal vulnerability in Ruby on Rails' Action View component. Specially crafted Accept headers can trick the framework into disclosing arbitrary file contents. While this flaw might not sound severe on its own, in certain configurations it can be chained with other bugs to achieve code execution.
- CVE-2019-9621 is the most high-profile of the group. It’s a Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite’s ProxyServlet component. This bug allows attackers to make unauthorized internal requests and, in some cases, gain remote code execution. It has already been linked to active exploitation by advanced persistent threat (APT) groups.
Threat Actor Spotlight: Earth Lusca
Earth Lusca is a Chinese-speaking advanced persistent threat group that blends traditional espionage tactics—like spear phishing and watering-hole sites—with the exploitation of unpatched server vulnerabilities. Active since at least mid-2021, Earth Lusca has targeted government and public-sector organizations across Asia (including Southeast and Central Asia), Australia, Europe, and North America—focusing on departments linked to foreign affairs, technology, and telecommunications. After breaching an initial target, the group typically deploys web shells or backdoors such as Cobalt Strike and then uses tools like SprySOCKS to move laterally, harvest credentials, and exfiltrate data.
Among the four newly added vulnerabilities in CISA’s July 7 KEV update, only one—CVE‑2019‑9621, the SSRF in Zimbra’s ProxyServlet—has been directly tied to Earth Lusca activity. Trend Micro first flagged this abuse in early 2021 after spotting Zimbra servers being probed and leveraged to gain access to internal networks. Since then, the group has repeatedly exploited CVE‑2019‑9621 to implant web shells and backdoors, setting the stage for downstream payloads like Cobalt Strike that support credential theft and long-term access.
Implications for Security Posture
A decade-old bug like CVE-2014-3931 still being exploited in 2025 should raise alarms, not eyebrows. Legacy vulnerabilities remain effective because patching isn’t always straightforward. Many organizations still struggle with basic visibility: they don’t know every asset running on their network, let alone which ones are running outdated software.
Even when a patch exists, it may not get applied. “With huge volumes of vulnerabilities reported every year, the challenge many organizations face is that if they don’t patch it within the first 90 days, they might never patch it,” said James Maude, Field CTO at BeyondTrust. Once an attacker gains access, previously accepted risk levels or mitigations often fall apart.
Federal Mandate and Broader Security Lessons
Federal civilian executive branch (FCEB) agencies have until July 28, 2025, to remediate all four newly listed vulnerabilities. That mandate, issued through CISA’s Binding Operational Directive 22-01, is intended to drive rapid response to known, high-impact threats. But the lessons go well beyond government. For both public and private organizations, the KEV catalog should function as a short list of top priorities.
Best practices start with identifying where the vulnerable software lives. Mayuresh Dani of Qualys recommends starting with a full inventory of systems, including any legacy infrastructure or shadow IT that may be running vulnerable software. He also notes the importance of identifying dependencies, since tools like PHPMailer or Rails often appear inside other platforms. To reduce exposure, Dani advises limiting access to services like MRLG and Zimbra to trusted networks and segmenting networks with firewalls and access controls to limit public-facing systems.
More broadly, organizations should stop viewing patching as a backend task. “As an industry, this should be a bit of a wake-up call that prevention isn’t dead,” Maude said. “Software patching, implementing least privilege, and controlling execution are hugely effective defenses that shouldn’t be dismissed in favor of the latest detection trends.”
Patch Old, Defend New
The message from CISA’s latest alert is simple: old doesn’t mean irrelevant. Attackers are still finding and exploiting years-old bugs because they work. That puts the burden on defenders to stay alert not just to emerging threats, but to the ones already mapped, documented, and circulating.
“Security teams should not let the publication date lull them into complacency,” said Jason Soroko, Senior Fellow at Sectigo. “The four flaws recently flagged by CISA illustrate how forgotten code can outlive its news cycle.”
