The most useful thing about CISA’s March 20, 2026 update to the Known Exploited Vulnerabilities catalog is that it refuses to respect anyone’s preferred security silo. In one batch, CISA added three Apple flaws, one Craft CMS remote code execution bug, and one Laravel Livewire code injection issue, all with a federal remediation deadline of April 3, 2026. That is not a random shopping list. It is a reminder that exploited vulnerability management is not about whether a problem belongs to endpoint, infrastructure, or application security. It is about whether an attacker has a working path into something you actually run. Attackers, as ever, remain stubbornly uncommitted to our internal reporting lines.
The five CVEs CISA added on March 20 are CVE-2025-31277, CVE-2025-43510, CVE-2025-43520, CVE-2025-32432, and CVE-2025-54068. Read together, they form a much better prioritization lesson than most vulnerability dashboards manage in a quarter. Apple represents the user endpoint and browser-engine side of the house. Craft CMS represents the exposed content platform that often sits quietly in front of a business until it becomes the whole incident. Livewire represents the framework component buried inside custom application logic, which is exactly the sort of thing teams assume is “owned somewhere else” right up until someone else’s problem starts beaconing.
Craft is the easiest place to start because the vendor guidance is unusually concrete. Craft says it received a report on April 7, 2025, confirmed the issue, and released patched versions 3.9.15, 4.14.15, and 5.6.17 on April 10, 2025. Then on April 17, 2025, the company said it found evidence suggesting active exploitation in the wild. That timeline is fast enough on its own, but the details matter more. Craft specifically told defenders to inspect requests to the actions/assets/generate-transform endpoint for POST bodies containing __class, warned that scanned sites are not necessarily compromised but are at least in the blast radius, and laid out real incident-response guidance: take sites offline if compromised, remove payloads, rotate the Craft security key, rotate other private keys, and rotate database credentials. That is not the language of leisurely patch management. That is the language of “please stop treating the CMS as decorative.”
Livewire tells a different but equally familiar story. The GitHub advisory for CVE-2025-54068 was published on July 17, 2025, marks the issue as critical, and says Livewire v3 through 3.6.3 is vulnerable to unauthenticated remote command execution in specific component configurations. The patch is version 3.6.4. The workaround section is brutally short because there is no workaround. That alone should get a team’s attention. What pushes it from important to queue-jumping is the exploitation context. CISA’s KEV entry says it is actively exploited, and ThreatHunter.ai’s March 2026 report shows an Iranian threat actor using a custom Nuclei template for CVE-2025-54068 in active operations. In other words, this is not just a framework maintainer having a bad Thursday. It is a reminder that the weird little hydration bug inside a Laravel component can become a real intrusion path once someone operationalizes it.
The Apple side of the batch is where many enterprise teams risk getting intellectually lazy. Because the affected products include Safari, iOS, iPadOS, macOS, tvOS, watchOS, and visionOS, there is a temptation to read the story as consumer-device noise unless you are already a mobile-security obsessive. That would be a mistake. Apple’s Safari 18.6 security advisory shows CVE-2025-31277 was fixed on July 30, 2025 as a WebKit memory-corruption issue triggered by malicious web content. Apple’s macOS Sonoma 14.8.2 advisory, released on November 3, 2025 and updated on December 12, 2025, includes CVE-2025-43510 and CVE-2025-43520 as kernel memory-corruption issues that could let a malicious application alter shared memory between processes or write kernel memory. By March 20, 2026, CISA was comfortable enough with the exploitation evidence to put all three into KEV. That should land with any organization where phones carry MFA prompts, Macs carry cloud tokens, and “just a browser bug” still leads to identity loss and session theft.
The broader thesis is simple: KEV is often most valuable when it collapses arguments that would otherwise waste a week. On March 20, 2026, CISA effectively handed defenders a cross-functional to-do list and put a date on it. If you run Apple fleets, you need to know how many lagging endpoints still sit behind because users defer updates until the laptop develops a personality. If you run Craft, you need to know whether any externally reachable sites ever saw suspicious requests to the vulnerable controller path and whether credentials or keys were rotated after patching. If you run Livewire v3, you need to know whether 3.6.4 or later is actually deployed everywhere, not merely mentioned in a ticket that achieved enlightenment and left the sprint board.
There is also an uncomfortable lesson here about patch age. None of these bugs are brand new in the vendor sense. Craft fixed its issue in April 2025. Livewire shipped 3.6.4 in July 2025. Apple had fixes out between July and November 2025, with some advisory entries updated in December 2025. Yet on March 20, 2026 they became fresh again because exploitation made them fresh again. This is why “we patched that months ago” is not a control. It is a hypothesis that still needs asset coverage, version validation, and enough telemetry to tell whether the patch happened before or after someone already walked through the door.
Operationally, the right response is less glamorous than most conference talks and far more useful. Treat the CISA due date as a forcing function to join three inventories that are usually maintained by three different tribes: device management for Apple, exposed-site ownership for Craft, and application dependency ownership for Livewire. Verify the versions. Verify reachability. Verify whether there is any evidence of scanning or exploitation. Where the vendor says compromise assessment is warranted, believe them the first time. Craft in particular was kind enough to include what to hunt for, which is about as close as a defender gets to the internet whispering answers during the exam.
What makes this story worth explaining on March 23, 2026 is not merely that five CVEs hit KEV. That happens. The reason this batch matters is that it shows how exploitation pressure cuts across product classes that many teams still manage with different urgency. Browser and kernel bugs on Apple devices, an internet-facing CMS RCE, and a Laravel component flaw all ended up in the same federal priority lane for the same reason: somebody is using them. Once that is true, stack preference becomes trivia. What matters is whether your security program can convert exploitation intelligence into asset-specific action before the next polite advisory turns into a much ruder incident.
Sources
Primary sources for this post are CISA’s March 20, 2026 alert on five new KEV additions and the live Known Exploited Vulnerabilities Catalog, Apple’s security notes for Safari 18.6 and macOS Sonoma 14.8.2, Craft CMS’s April 2025 incident note for CVE-2025-32432, and GitHub’s advisory for Livewire CVE-2025-54068 plus the v3.6.4 release. For high-signal secondary context on exploitation, I also used The Hacker News’ March 21, 2026 report on CISA’s Apple, Craft CMS, and Livewire KEV action and ThreatHunter.ai’s March 2026 technical report on Iranian threat-actor infrastructure and tooling, which includes a custom Nuclei template for CVE-2025-54068.