INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Apple, Laravel, Craft CMS Exploit Vulnerabilities Catalog
| 2026-03-22 14:40 CRITICAL HIGHExecutive Summary AI-generated
The threat actor behind the recent attacks is Iran-nexus APT MuddyWater, a known group for targeting diplomatic and critical sectors. The campaign began in February 2017 but gained momentum between October of that year and January 2022 when US Cyber Command linked it to Iran's Ministry of Intelligence and Security. The attackers primarily target telecommunications, government IT services, and oil sectors. Vulnerabilities added to the catalog include CVE-2025-31277 (CVSS score of 8.8) in Craft CMS and Apple Multiple Products Buffer Overflow Vulnerability CVE-2025-32432 (CVSS score of 10.0), as well as Improper Locking Vulnerability CVE-2025-43520 (CVSS score of 8.8). These vulnerabilities were identified by Google Threat Intelligence Group, iVerify, and Lookout. The CISA catalog also includes a code injection issue tracked as CVE-2025-32432.
Technical Mitigations AI-generated
* Implement secure coding practices, such as input validation and sanitization, to prevent code injection vulnerabilities like CVE-2025-32432 (Craft CMS) and CVE-2024-58136 (Yii framework).
* Regularly update software applications and frameworks to ensure that known exploits are patched before they can be used against systems.
* Use secure protocols for communication, such as HTTPS, and limit the use of outdated or vulnerable libraries and frameworks in development projects.
* Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in systems and infrastructure.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
MuddyWaterMuddyWater
CVE-2025-43510CVE-2025-43510
CVE-2025-32432CVE-2025-32432
CVE-2024-58136CVE-2024-58136
CVE-2025-31277CVE-2025-31277
CVE-2025-54068CVE-2025-54068
CVE-2025-43520CVE-2025-43520
Target & Sectors
GCC
GCC
MIDDLE_EAST
MIDDLE_EAST
SOUTH_ASIA
SOUTH_ASIA
maritimemaritime
technologytechnology
energyenergy
governmentgovernment
telecommunicationstelecommunications
financefinance
Incident Timeline
late 2017
Threat actors used a previously unknown exploit in Apple's iOS operating system to target devices in the Middle East.
Click on any entity below to view its context and source!
target_region
MIDDLE_EAST
The first
MuddyWater
campaign was
observed
in late 2017, when the APT group targeted entities in the Middle East.
threat_actor
MuddyWater
The first
MuddyWater
campaign was
observed
in late 2017, when the APT group targeted entities in the Middle East.
organisation
APT
The first
MuddyWater
campaign was
observed
in late 2017, when the APT group targeted entities in the Middle East.
January 2022
Threat actors used a known exploited vulnerability in Apple, Laravel Livewire and Craft CMS to target the MuddyWater APT group.
Click on any entity below to view its context and source!
threat_actor
MuddyWater
In January 2022, US Cyber Command (USCYBERCOM)
officially linked
the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
source_region
United States
In January 2022, US Cyber Command (USCYBERCOM)
officially linked
the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
target_region
Iran, Islamic Republic of
In January 2022, US Cyber Command (USCYBERCOM)
officially linked
the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
attribution
US Cyber Command
In January 2022, US Cyber Command (USCYBERCOM)
officially linked
the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
attribution
USCYBERCOM
In January 2022, US Cyber Command (USCYBERCOM)
officially linked
the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
attribution
Ministry of Intelligence and Security
In January 2022, US Cyber Command (USCYBERCOM)
officially linked
the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
February 2025
Threat actors exploited CVE-2025-32432 as a zero-day vulnerability in February 2025.
Click on any entity below to view its context and source!
vulnerability
CVE-2025-32432
CVE-2025-32432 is assessed to have been
exploited
as a zero-day by unknown threat actors since February 2025, per Orange Cyberdefense SensePost.
organisation
Orange Cyberdefense SensePost
CVE-2025-32432 is assessed to have been
exploited
as a zero-day by unknown threat actors since February 2025, per Orange Cyberdefense SensePost.
April 2025
Threat actors exploited CVE-2025-32432 in Craft CMS to breach servers and upload a PHP file manager.
Click on any entity below to view its context and source!
organisation
CVE-2025-54068
(Fixed in April 2025)
CVE-2025-54068
(CVSS score: 9.8) -
infrastructure
9.8
(Fixed in April 2025)
CVE-2025-54068
(CVSS score: 9.8) -
general_metric
9.8 score
(Fixed in April 2025)
CVE-2025-54068
(CVSS score: 9.8) -
organisation
Craft CMS
In April 2025, Orange Cyberdefense’s CSIRT reported that threat actors exploited two vulnerabilities in Craft CMS to breach servers and steal data.
organisation
Orange Cyberdefense’s
In April 2025, Orange Cyberdefense’s CSIRT reported that threat actors exploited two vulnerabilities in Craft CMS to breach servers and steal data.
threat_actor
MuddyWater
The last vulnerability added to the CISA’s KeV catalog is CVE-2025-54068, which was linked to attacks by Iran-nexus APT
MuddyWater
, known for targeting diplomatic and critical sectors like energy and finance.
organisation
CVE-2025-32432
The two vulnerabilities, tracked as CVE-2025-32432 and CVE-2024-58136, are respectively a remote code execution (RCE) in Craft CMS and an input validation flaw in the Yii framework used by Craft CMS.
organisation
CVE-2024-58136
The two vulnerabilities, tracked as CVE-2025-32432 and CVE-2024-58136, are respectively a remote code execution (RCE) in Craft CMS and an input validation flaw in the Yii framework used by Craft CMS.
infrastructure
3.9.15
Both vulnerabilities have been fixed; the flaw CVE-2025-32432
has been addressed
with the release of versions 3.9.15, 4.14.15, and 5.6.17.
infrastructure
4.14.15
Both vulnerabilities have been fixed; the flaw CVE-2025-32432
has been addressed
with the release of versions 3.9.15, 4.14.15, and 5.6.17.
infrastructure
5.6.17
Both vulnerabilities have been fixed; the flaw CVE-2025-32432
has been addressed
with the release of versions 3.9.15, 4.14.15, and 5.6.17.
infrastructure
2.0.52
The development team behind Yii addressed the issue with the release of
Yii 2.0.52
in April.
organisation
Yii 2.0.52
The development team behind Yii addressed the issue with the release of
Yii 2.0.52
in April.
organisation
SensePost
According to a report published by SensePost, Orange Cyberdefense’s ethical hacking team, threat actors exploited the two vulnerabilities to breach servers and upload a PHP file manager.
organisation
PHP
According to a report published by SensePost, Orange Cyberdefense’s ethical hacking team, threat actors exploited the two vulnerabilities to breach servers and upload a PHP file manager.
July 2025
Threat actors exploited vulnerabilities in Apple, Laravel Livewire and Craft CMS to gain unauthorized access.
Click on any entity below to view its context and source!
organisation
CVE-2025-43510
(Fixed in July 2025)
CVE-2025-43510
(CVSS score: 7.8) -
infrastructure
7.8
(Fixed in July 2025)
CVE-2025-43510
(CVSS score: 7.8) -
general_metric
7.8 score
(Fixed in July 2025)
CVE-2025-43510
(CVSS score: 7.8) -
between August 16, 2025
Threat actors used a sustained campaign to target an unnamed national marine and energy company in the U.A.E. between August 16, 2025, and February 11, 2026, deploying various malware families including GhostBackDoor and Nuso through HTTP_VIP vulnerabilities.
Click on any entity below to view its context and source!
industry
Energy
In a sustained campaign targeting an unnamed national marine and energy company in the U.A.E. between August 16, 2025, and February 11, 2026, the threat actor is said to have conducted four distinct waves of attack, leading to the deployment of various malware families, including
GhostBackDoor and Nuso
(aka HTTP_VIP).
organisation
Nuso
In a sustained campaign targeting an unnamed national marine and energy company in the U.A.E. between August 16, 2025, and February 11, 2026, the threat actor is said to have conducted four distinct waves of attack, leading to the deployment of various malware families, including
GhostBackDoor and Nuso
(aka HTTP_VIP).
August 16, 2025
Threat actors exploited vulnerabilities in Apple, Laravel Livewire and Craft CMS to gain unauthorized access.
December 2025
Threat actors used a known exploited vulnerability in Apple's iOS and iPadOS operating systems to target devices running the Craft CMS web application.
Click on any entity below to view its context and source!
general_metric
8.8 vulnerabilities
(Fixed in December 2025)
CVE-2025-43520
(CVSS score: 8.8) -
organisation
CVE-2025-43520
(Fixed in December 2025)
CVE-2025-43520
(CVSS score: 8.8) -
infrastructure
8.8
(Fixed in December 2025)
CVE-2025-43520
(CVSS score: 8.8) -
organisation
CVE-2025-32432
(Fixed in December 2025)
CVE-2025-32432
(CVSS score: 10.0) -
infrastructure
10.0
(Fixed in December 2025)
CVE-2025-32432
(CVSS score: 10.0) -
February 11, 2026
Threat actors used a sustained campaign to target an unnamed national marine and energy company in the U.A.E. between August 16, 2025, and February 11, 2026, deploying various malware families including GhostBackDoor and Nuso.
Click on any entity below to view its context and source!
industry
Energy
In a sustained campaign targeting an unnamed national marine and energy company in the U.A.E. between August 16, 2025, and February 11, 2026, the threat actor is said to have conducted four distinct waves of attack, leading to the deployment of various malware families, including
GhostBackDoor and Nuso
(aka HTTP_VIP).
organisation
Nuso
In a sustained campaign targeting an unnamed national marine and energy company in the U.A.E. between August 16, 2025, and February 11, 2026, the threat actor is said to have conducted four distinct waves of attack, leading to the deployment of various malware families, including
GhostBackDoor and Nuso
(aka HTTP_VIP).
Mar 21, 2026
Threat actors exploited known vulnerabilities in Apple, Laravel Livewire and Craft CMS to gain unauthorized access.
between February and October 2017
Threat actors used a combination of vulnerabilities in Apple, Laravel Livewire and Craft CMS to target entities across multiple countries.
Click on any entity below to view its context and source!
threat_actor
MuddyWater
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
target_region
Saudi Arabia
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
target_region
Iraq
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
target_region
Israel
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
target_region
United Arab Emirates
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
target_region
Georgia
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
target_region
India
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
target_region
Pakistan
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
source_region
United States
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States.
2026-03-22
U.S. CISA adds Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities catalog.
Click on any entity below to view its context and source!
organisation
Palo Alto Networks Unit
In a report published earlier this week, Palo Alto Networks Unit 42 called out the adversary's consistent targeting of diplomatic and critical infrastructure, including energy, maritime, and finance, across the Middle East and other strategic targets worldwide.
threat_actor
MuddyWater
One of the defining hallmarks of MuddyWater's tradecraft has been the use of hijacked accounts belonging to official government and corporate entities in its spear-phishing attacks, and abuse of trusted relationships to evade reputation-based blocking systems and deliver malware.
Rounding off the list is
CVE-2025-54068
, whose exploitation was
recently flagged
by the Ctrl-Alt-Intel Threat Research team as part of attacks mounted by the Iranian state-sponsored hacking group,
MuddyWater
(aka Boggy Serpens).
organisation
CVE-2025
Below are the flaws added to the catalog:
CVE-2025-31277
(CVSS score of 8.8)
organisation
CVSS
Below are the flaws added to the catalog:
CVE-2025-31277
(CVSS score of 8.8)
infrastructure
Ios
Craft CMS Code Injection Vulnerability
CVE-2025-43510
(CVSS score of 7.8) Apple Multiple Products Improper Locking Vulnerability
CVE-2025-43520
(CVSS score of 8.8) Apple Multiple Products Classic Buffer Overflow Vulnerability
CVE-2025-54068
(CVSS score of 9.8) Laravel Livewire Code Injection Vulnerability
CISA added the three Apple flaws (
CVE-2025-31277, CVE-2025-43510, CVE-2025-43520
) in the KEV catalog following reports from recent Google Threat Intelligence Group, iVerify, and Lookout about an iOS exploit kit called
DarkSword
.
The addition of the three Apple vulnerabilities to the KEV catalog comes in the wake of reports from Google Threat Intelligence Group (GTIG), iVerify, and Lookout about an iOS exploit kit codenamed
DarkSword
that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft.
organisation
Apple
A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content.
organisation
Craft CMS
A code injection vulnerability in Craft CMS that could allow a remote attacker to execute arbitrary code.
organisation
UDPGangster
Some of the other notable tools in the threat actor's arsenal include
UDPGangster
and
LampoRAT
(aka CHAR).
organisation
Rust
"By diversifying its development pipeline to include modern coding languages like Rust and AI-assisted workflows, the group creates parallel tracks that ensure the redundancy needed to sustain a high operational tempo."
April 3, 2026
Threat actors used a known exploit to target Apple, Craft CMS, and Laravel Livewire vulnerabilities.
Click on any entity below to view its context and source!
attribution
KEV
CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026.
Ravie Lakshmanan
Mar 21, 2026
Vulnerability / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday
added
five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (
KEV
) catalog, urging federal agencies to patch them by April 3, 2026.
attribution
Orders Patching
CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026.
attribution
Vulnerability / Threat Intelligence
Ravie Lakshmanan
Mar 21, 2026
Vulnerability / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday
added
five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (
KEV
) catalog, urging federal agencies to patch them by April 3, 2026.
attribution
Apple
Ravie Lakshmanan
Mar 21, 2026
Vulnerability / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday
added
five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (
KEV
) catalog, urging federal agencies to patch them by April 3, 2026.
attribution
Known Exploited
Ravie Lakshmanan
Mar 21, 2026
Vulnerability / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday
added
five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (
KEV
) catalog, urging federal agencies to patch them by April 3, 2026.
tactic
T1588.006 - Vulnerabilities
Ravie Lakshmanan
Mar 21, 2026
Vulnerability / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday
added
five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (
KEV
) catalog, urging federal agencies to patch them by April 3, 2026.
general_metric
21 Mar
Ravie Lakshmanan
Mar 21, 2026
Vulnerability / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday
added
five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (
KEV
) catalog, urging federal agencies to patch them by April 3, 2026.
Tactical Metrics
Metrics
infrastructure
7.8
Software Version
Click for context!
(Fixed in July 2025)
CVE-2025-43510
(CVSS score: 7.8) -
Metrics
infrastructure
8.8
Software Version
(Fixed in December 2025)
CVE-2025-43520
(CVSS score: 8.8) -
Metrics
infrastructure
10.0
Software Version
(Fixed in December 2025)
CVE-2025-32432
(CVSS score: 10.0) -
Metrics
infrastructure
9.8
Software Version
(Fixed in April 2025)
CVE-2025-54068
(CVSS score: 9.8) -
Metrics
infrastructure
Ios
Affected Product
The addition of the three Apple vulnerabilities to the KEV catalog comes in the wake of reports from Google Threat Intelligence Group (GTIG), iVerify, and Lookout about an iOS exploit kit codenamed
DarkSword
that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft.
Craft CMS Code Injection Vulnerability
CVE-2025-43510
(CVSS score of 7.8) Apple Multiple Products Improper Locking Vulnerability
CVE-2025-43520
(CVSS score of 8.8) Apple Multiple Products Classic Buffer Overflow Vulnerability
CVE-2025-54068
(CVSS score of 9.8) Laravel Livewire Code Injection Vulnerability
CISA added the three Apple flaws (
CVE-2025-31277, CVE-2025-43510, CVE-2025-43520
) in the KEV catalog following reports from recent Google Threat Intelligence Group, iVerify, and Lookout about an iOS exploit kit called
DarkSword
.
Metrics
infrastructure
3.9.15
Software Version
Both vulnerabilities have been fixed; the flaw CVE-2025-32432
has been addressed
with the release of versions 3.9.15, 4.14.15, and 5.6.17.
Metrics
infrastructure
4.14.15
Software Version
Both vulnerabilities have been fixed; the flaw CVE-2025-32432
has been addressed
with the release of versions 3.9.15, 4.14.15, and 5.6.17.
Metrics
infrastructure
5.6.17
Software Version
Both vulnerabilities have been fixed; the flaw CVE-2025-32432
has been addressed
with the release of versions 3.9.15, 4.14.15, and 5.6.17.
Metrics
infrastructure
2.0.52
Software Version
The development team behind Yii addressed the issue with the release of
Yii 2.0.52
in April.
Intelligence Sources
The Hacker News
2026-03-21
Security Affairs
2026-03-22
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:25
Comprehensive Tactical Telemetry
Highly Correlated Entities
26x
attribution
Attributing Entity
the Iranian Ministry of Intelligence and Security
authority
20x
organisation
Identified Entity
Palo Alto Networks Unit
entity
15x
timeline
Temporal Reference
between August 16, 2025
date
8x
infrastructure
Software Version
7.8
version
8x
target region
Target Country
Saudi Arabia
country
6x
industry
Targeted Sector
Technology
sector
6x
tactic
Cyber Operation Type
Espionage
tactic
6x
vulnerability
Exploited CVE
CVE-2025-31277
cve
4x
vulnerability
CVSS Score
9
score
3x
source region
Origin Country
Israel
country
2x
general metric
Score
8
score
Contextual Telemetry
Context Block
7 METRICS
target region
Target Region
MIDDLE_EAST
region
threat actor
APT Group
MuddyWater
actor
general metric
Unit
42
unit
general metric
Vulnerabilities
9
vulnerabilities
infrastructure
Affected Product
Ios
software
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
general metric
Mar
21
mar
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.