CISA Adds Two High-Risk Vulnerabilities to Exploited Catalog: What Security Teams Should Do Now

The Cybersecurity and Infrastructure Security Agency (CISA) again refreshed its Known Exploited Vulnerabilities Catalog (KEV)—a critical source of information for both federal and private sector defenders. On May 2, 2025, two vulnerabilities were added that were verified as being exploited in the wild:

• CVE-2025-34028 – Commvault Command Center Path Traversal Vulnerability
• CVE-2024-58136 – YiiFramework Alternate Path Vulnerability: Improper Protection

These expansions highlight the need for organizations across all sectors to remain vigilant and proactive with vulnerability management even when not under active federal requirements.

Why These CVEs Matter

CVE-2025-34028 in Commvault Command Center is a path traversal vulnerability that enables attackers to read unauthorized directories or run code outside intended file structures. The vulnerability is especially troubling given the sensitive nature of backup and data protection systems, which are a favorite target of ransomware attackers and nation-state attackers.

CVE-2024-58136 impacts the Yii PHP Framework that is commonly utilized in web applications. It is a result of inadequate protection of alternate paths, which may permit attackers to bypass access controls designed for it. Its exploitation can lead to unauthorized use of sensitive functionality or data, thus posing a significant risk to developers and platform administrators.

The Role of BOD 22-01

Federal Civilian Executive Branch (FCEB) agencies subject to Binding Operational Directive 22-01 must remediate KEV-listed vulnerabilities within prescribed timelines. The directive mandates a structured, prioritized response to actively exploited CVEs in favor of more robust security positions on government networks.
While the directive targets federal agencies, CISA strongly suggests that all organizations—private companies, critical infrastructure providers, and SaaS vendors—use the KEV catalog as an urgent remediation list.

Expert Advice for Security Teams

At Security Briefing, we urge immediate action for administrators overseeing Commvault or Yii installations:

• Audit every installation of Commvault Command Center and web applications based on Yii.
• Patch or apply mitigations as soon as possible. Extended delay in patching publicly exploited vulnerabilities can lead to direct compromise.
• Apply file access controls and web application firewalls (WAFs) to identify and prevent path traversal or alternate path access attempts.
• Track CISA’s KEV Catalog on a weekly basis—incorporate into automated vulnerability scanning and remediation processes.
• Audit access logs and conduct threat hunting for any sign of previous exploitation, particularly in externally facing systems.

Final Thought: CISA’s continuous updates to the KEV catalog represent a vital warning system. Not responding to these warnings is the same as keeping known entry points open for cybercriminals, who are actively taking advantage of them. Regardless of whether you belong to the private or public sector, handle each KEV addition with the highest priority. Proactive vulnerability management is no longer a choice—it’s a necessity to securing the modern enterprise.