The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two newly disclosed critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: one in Adobe ColdFusion and another in the Langflow visual framework for building AI agents. Two Joomla extension flaws were also included, according to SecurityWeek. CISA has given federal agencies until July 10 to patch these vulnerabilities.

CISA is specifically prioritizing the Langflow authentication bypass flaw, ordering federal agencies to patch it by Friday. This vulnerability is being actively exploited in the wild, though BleepingComputer did not detail the attacker or scope. The ColdFusion and Joomla flaws are also under active exploitation, with CISA deeming them a clear and present risk to federal networks.

The Langflow vulnerability allows an attacker to bypass authentication mechanisms, potentially gaining unauthorized access to AI agent deployments. Technical specifics of the attack vector have not been publicly disclosed in detail, but CISA's addition to the KEV catalog indicates exploit code or active campaigns exist. Indicators of compromise are not yet widely published.

Adobe has released security updates for the ColdFusion flaw, and patches for the Langflow vulnerability are available. Joomla extension vendors have also provided fixes. CISA strongly urges all organizations, not just federal agencies, to apply these patches immediately or implement vendor-provided workarounds.

Attribution for the exploitation campaigns remains unclear. This rapid addition of multiple distinct vulnerabilities to the KEV catalog underscores the aggressive threat landscape targeting widely deployed enterprise and AI infrastructure software.