CISA adds five Craft CMS, Laravel, and Apple WebKit flaws to KEV, with an April 3 patch deadline
Contents
On March 20, 2026, CISA added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog and ordered US federal agencies to patch them by April 3. The affected products are Apple WebKit and Kernel, Craft CMS, and Laravel Livewire. The agency confirmed that MuddyWater, an Iran-linked threat group, and DarkSword, an iOS exploit kit, are using them in real attacks.
KEV is CISA’s list of vulnerabilities that have been confirmed exploited in the wild. Federal agencies must patch within the deadline, and private organizations usually treat it as a strong signal for prioritization.
The five entries
| CVE | Product | CVSS | Details |
|---|---|---|---|
| CVE-2025-32432 | Craft CMS | 10.0 | code injection leading to unauthenticated RCE |
| CVE-2025-54068 | Laravel Livewire | 9.8 | code injection leading to unauthenticated RCE |
| CVE-2025-31277 | Apple WebKit | 8.8 | memory corruption leading to arbitrary code execution |
| CVE-2025-43520 | Apple Kernel | 8.8 | memory corruption leading to kernel memory write |
| CVE-2025-43510 | Apple Kernel | 7.8 | memory corruption leading to shared-memory tampering between processes |
Craft CMS CVE-2025-32432 (CVSS 10.0)
This was already fixed in April 2025, but exploitation started before the patch. The Mimo group, also known as Hezb, was using it as a zero-day by February 2025, so the KEV listing is a catch-up rather than a surprise.
The core issue is template-engine code injection. Craft CMS uses Twig templates, and in places where user input is not validated properly, it is evaluated as server-side code. Because the bug allows remote, unauthenticated execution of PHP code, it gets the maximum CVSS 10.0 score.
Any environment that has not been upgraded to the patched releases is exposed: 4.x should be at v4.14.2 or later, and 5.x should be at v5.6.2 or later.
Laravel Livewire CVE-2025-54068 (CVSS 9.8)
This one was fixed in July 2025. MuddyWater, also called Boggy Serpents, is using it in attacks against organizations and critical infrastructure in the Middle East.
Laravel Livewire is a framework that handles real-time components on the server side. The bug sits in component serialization and deserialization, and under the right conditions an unauthenticated attacker can execute remote commands.
MuddyWater has long been tracked in MITRE ATT&CK reporting. Its typical playbook combines phishing with initial access through vulnerable web applications. Because Laravel Livewire is widely used in the PHP ecosystem, the exposure surface is broad.
The attack chain looks like this:
graph TD
A[Attacker] -->|sends a malicious request| B[Laravel Livewire endpoint]
B -->|deserialization path| C[code evaluation]
C -->|auth bypass| D[arbitrary command execution]
D --> E[backdoor deployment]
D --> F[credential theft]
D --> G[lateral movement]
E & F & G -->|C2 communication| H[MuddyWater C2]Apple WebKit and Kernel, via the DarkSword exploit kit
The three Apple flaws are tied to the DarkSword iOS exploit kit. Google Threat Intelligence Group, iVerify, and Lookout jointly analyzed DarkSword, which deploys the GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER malware families for data theft.
WebKit (CVE-2025-31277, CVSS 8.8) is the base for Safari and all iOS browser engines. That means malicious web content alone can establish initial compromise. From there, the Kernel bugs (CVE-2025-43520 for privilege escalation, and CVE-2025-43510 for shared-memory tampering) complete the takeover.
All three are already patched: CVE-2025-31277 in the July 2025 Apple updates, and CVE-2025-43510 plus CVE-2025-43520 in the December 2025 iOS, iPadOS, and macOS updates.
Deadlines and priority
The federal deadline is April 3, 2026. For private organizations, the two web-facing issues, Craft CMS and Laravel Livewire, should be treated as top priority because they are the most attractive to attackers.
Craft CMS is often exposed through an internet-facing admin panel. Laravel apps using Livewire can also expose the relevant endpoints directly, depending on routing and deployment settings.
For Apple devices, the basic rule is to keep iOS and macOS current. If the July or December 2025 updates are still missing, those devices need to be updated immediately.