U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog.————————————————————————————————————————————————————————————————-The U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-adds-five-known-exploited-vulnerabilities-catalog) Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its [Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).Below are the descriptions for these flaws:* [CVE-2014-6278](https://www.cve.org/CVERecord?id=CVE-2014-6278) GNU Bash OS Command Injection Vulnerability* [CVE-2015-7755](https://www.cve.org/CVERecord?id=CVE-2015-7755) Juniper ScreenOS Improper Authentication Vulnerability* [CVE-2017-1000353](https://www.cve.org/CVERecord?id=CVE-2017-1000353) Jenkins Remote Code Execution Vulnerability* [CVE-2025-4008](https://www.cve.org/CVERecord?id=CVE-2025-4008) Smartbedded Meteobridge Command Injection Vulnerability* [CVE-2025-21043](https://www.cve.org/CVERecord?id=CVE-2025-21043) Samsung Mobile Devices Out-of-Bounds Write VulnerabilityIn October 2024, the IT community worldwide was shocked by the discovery of the [Bash Bug](http://securityaffairs.co/wordpress/28615/hacking/bash-bug-critical-risk.html) flaw, a vulnerability that impacted the popular Bash component for over two decades.While principal vendors were working to provide the necessary patches for vulnerable Linux and Unix systems, the researcher Michal Zalewski [found two additional bugs in the Bourne Again Shell](http://lcamtuf.blogspot.it/2014/10/bash-bug-how-we-finally-cracked.html).One of two bugs, tracked as [CVE-2014-6278](https://securityaffairs.com/28909/hacking/bash-bug-incomplete-patches.html), as the original [Bash Bug vulnerability (CVE-2014-6271)](http://resources.infosecinstitute.com/bash-bug-cve-2014-6271-critical-vulnerability-scaring-internet/) could be exploited for remote arbitrary code execution. Experts explained that it exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.The second flaw added to the KeV catalog, tracked as [CVE-2015-7755](https://securityaffairs.com/42971/hacking/juniper-screenos-authentication-backdoor.html), in an administrative access issue. Remote attackers could exploit the flaw to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.The third issue added to the catalog, tracked as [CVE-2017-1000353](https://securityaffairs.com/58916/hacking/jenkins-rce.html), is an unauthenticated remote code execution vulnerability that allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, which would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.SignedObject has been added to the remoting blacklist.’ reads the [security advisory](https://jenkins.io/security/advisory/2017-04-26/) published by Jenkins.CISA also added the vulnerability CVE-2025-4008 to the catalog. The issue is a command injection flaw in Smartbedded MeteoBridge’s web interface that allows remote, unauthenticated attackers to execute arbitrary root commands.The last issue added to the catalog impacts Samsung devices, it is an Out-of-bounds write tracked as [CVE-2025-21043](https://securityaffairs.com/182135/hacking/samsung-fixed-actively-exploited-zero-day.html). The vulnerability resides in the libimagecodec.quram.so prior to SMR Sep-2025 Release 1. A remote attacker can exploit the flaw to execute arbitrary code.According to [Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](https://cyber.dhs.gov/bod/22-01/), FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.Experts also recommend that private organizations review the [Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and address the vulnerabilities in their infrastructure.CISA orders federal agencies to fix the vulnerabilities by October 23, 2025.Follow me on Twitter: [@securityaffairs](https://twitter.com/securityaffairs) and [Facebook](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[Pierluigi Paganini](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)([SecurityAffairs](http://securityaffairs.co/wordpress/) — hacking, CISA)
Related Tags:
CVE-2014-6277
CVE-2025-4008
CVE-2014-6278
CVE-2015-7755
CVE-2017-1000353
CVE-2025-21043
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 517 – Telecommunications
Associated Indicators:
null