CISA Mandates Federal Agencies to Patch Known Vulnerabilities by September 24, 2025
CISA, the Cybersecurity and Infrastructure Security Agency, has issued a broad directive to all US Federal Civilian Executive Branch agencies. The order mandates the patching of critical vulnerabilities listed in the Known Exploited Vulnerabilities Catalog by September 24, 2025. While specific agencies are not named, the alert covers a range of vulnerabilities, including CVE-2024-36401 and others.
CISA has recently updated its catalog to include two new vulnerabilities affecting TP-Link devices. The first, CVE-2023-50224, is a flaw in the TP-Link TL-WR841N router that allows unauthenticated attackers to access stored credentials. This vulnerability, with a CVSS score of 6.5, poses a significant risk to users.
The second vulnerability, CVE-2025-9377, is an authenticated Remote Code Execution (RCE) flaw affecting TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 devices. Given that these devices are End of Life, CISA urges customers to either replace or patch them immediately to mitigate potential attacks exploiting this vulnerability.
CISA's directive is a proactive measure to protect federal agencies and their users from potential cyber threats. By mandating the patching of known vulnerabilities, CISA aims to strengthen the cybersecurity posture of federal agencies and safeguard sensitive information. Agencies are advised to comply with the directive by the given deadline to ensure the security of their networks and systems.
