The Cybersecurity & Infrastructure Security Agency (CISA) has announced the addition of two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These were added due to evidence of active exploitation and are frequent attack vectors for malicious actors. CISA believes these flaws present a notable risk to the federal enterprise. 

The vulnerabilities are: 

• CVE-2020-24363, a TP-link TL-WA855RE Missing Authentication for Critical Function Flaw
• CVE-2025-55177, a Meta Platforms WhatsApp Incorrect Authorization Flaw

Security Leaders Weigh In

Randolph Barr, Chief Information Security Officer at Cequence Security:

The challenge here isn’t so much about enterprises deliberately deploying extenders. In the companies I’ve worked with, it’s rarely a topic because enterprise-grade wireless solutions already solve for coverage. The real issue is our workforce. Employees working from home often turn to consumer extenders as a cheap and easy way to fix Wi-Fi dead zones. The problem is these devices usually ship with weak security, rarely get patched, and most users don’t think to replace them until they see a tangible benefit (speed, easier management, etc.). 

That’s how EoL gear ends up staying in circulation long after the vendor stops providing fixes. From a corporate standpoint, if I ever found extenders in the office, that would be a red flag. There are practical ways to check for this — scanning for TP-Link MAC OUIs and unusual SSIDs, pulling DHCP lease tables, or enabling rogue AP detection. More importantly, we need clear communication:

• Internally, personal extenders are not allowed in the office.
• Externally to our employees, to raise awareness of the risks of running EoL consumer devices like the TP-Link KEV notice highlights.

That combination of visibility, policy and communication is what stands out to me in why this flaw landed on the KEV list. It’s not just about the vulnerability, it’s about the reality that unmanaged consumer gear can quietly extend your attack surface if not addressed.

Mr. Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit:

The addition CVE-2020-24363 to the KEV shows that there is ongoing exploitation of unmaintained, legacy devices and also that these devices have not been upgraded even after a period of five years! These devices will remain permanently vulnerable in environments where replacement isn't immediate, providing threat actors with a reliable foothold for lateral movement within networks. The vulnerability exists in TP-Link Device Debug Protocol that has had systemic vulnerabilities across device families and multiple proof-of-concept codes exploiting these vulnerabilities are also publicly available. These TP-Link devices also represent a significant attack surface due to widespread deployment as these devices can be found deployed in both residential and small business environments. 

CVE-2025-55177 represents advanced exploitation techniques that is exacerbated when combined with CVE-2025-43300, the Apple’s ImageIO framework vulnerability for a complete device compromise. This zero-click WhatsApp vulnerability represents an evolution in messaging platform by successfully chaining OS-level vulnerabilities. 

The combination of widespread legacy device deployment, existence of similar vulnerabilities and confirmed commercial spyware campaigns warrants the inclusion of these vulnerabilities and their prioritization and remediation efforts across both federal and private sector environments.

Jason Soroko, Senior Fellow at Sectigo:

What stands out is how different these two cases are but both point to real-world exploitation. The TP-Link flaw is a textbook example of an old, high-scoring bug still actively abused because devices remain in the field long after end of support. A trivial reset-and-takeover path for an attacker on the local network makes it low effort and high reward, which is exactly the kind of thing CISA wants off critical environments. The KEV listing is a reminder that consumer-grade gear often lingers unpatched and becomes a soft target.

The WhatsApp case is the opposite end of the spectrum. It is a moderate severity flaw on paper but is proven to be part of a sophisticated chain against high-value targets. The KEV listing signals that even flaws with modest CVSS scores can be dangerous when combined with other zero-days in commercial spyware operations. Both entries highlight that exploitation in the wild is what drives KEV inclusion, not theoretical impact scores, and that defenders should weigh exposure and threat activity over CVSS numbers alone.