The U.S. Cybersecurity and Infrastructure Security Agency has issued an urgent warning that threat actors are actively exploiting security flaws in the Linux kernel and the Android operating system — two platforms that together underpin a vast swath of the world's digital infrastructure.
According to BleepingComputer, CISA added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue — a registry of security flaws that the agency considers to pose a particularly serious risk. Inclusion in the KEV catalogue carries significant weight: while it formally mandates patching only for U.S. federal civilian agencies under Binding Operational Directive 22-01, the list is widely treated across the global security community as a definitive reference for high-priority threats requiring immediate attention.
Specific CVE identifiers and affected software versions are available in CISA's official KEV catalogue.
A Broad Attack Surface
The scale of the potential impact is what makes this advisory especially concerning. Linux-based systems power the majority of the world's cloud computing infrastructure, enterprise servers, embedded devices, and Internet of Things deployments. Android, which is built on a modified Linux kernel, dominates the global smartphone market with billions of active devices worldwide. Vulnerabilities in these platforms effectively create an enormous attack surface that spans consumer electronics through to critical national infrastructure.
While CISA's advisory does not name the specific threat actors behind the exploitation campaigns, active exploitation in the wild means that malicious code leveraging these flaws has already been observed in real-world attacks — not merely in theoretical or laboratory conditions. Organizations running affected versions are therefore urged to assess their exposure and apply patches without delay.
A Shift in Open-Source Risk Perception
The incident adds to a growing body of evidence challenging the long-held assumption that open-source software is inherently more secure by virtue of its transparency. While the "many eyes" theory — the idea that publicly auditable code will have its bugs found and fixed faster — has long been a pillar of the open-source philosophy, sophisticated threat actors have increasingly turned their attention to widely deployed open-source components precisely because compromising a single widely-used library or kernel can yield access to millions of systems simultaneously.
High-profile supply chain attacks and kernel-level exploits in recent years have forced a recalibration of how the industry evaluates open-source security. The focus has shifted from whether open-source code contains vulnerabilities — all software does — to whether the ecosystems around these projects have the resources and processes to detect, patch, and distribute fixes quickly enough to outpace adversaries.
What Organizations Should Do
CISA's standard guidance following a KEV catalogue addition is clear: identify whether any systems in your environment are running affected versions of the Linux kernel or Android, prioritise patching based on exposure and criticality, and implement network-level mitigations such as segmentation and enhanced monitoring where immediate patching is not feasible.
For IT administrators and security teams, the advisory serves as a timely reminder to maintain a comprehensive asset inventory — you cannot patch what you do not know you are running. It also reinforces the importance of subscribing to vulnerability disclosure feeds and maintaining a disciplined patch management cycle, particularly for foundational components like operating system kernels.
As the boundaries between consumer and enterprise platforms continue to blur — with Android devices increasingly used in business contexts and Linux workloads expanding in cloud environments — the distinction between "consumer vulnerabilities" and "enterprise vulnerabilities" is becoming less meaningful. A flaw in the Linux kernel is, in practice, a flaw in a significant portion of the world's computing infrastructure, and should be treated accordingly.
美國網絡安全與基礎設施安全局發出緊急警告,指威脅行為者正積極利用Linux內核與Android操作系統中的安全漏洞——這兩個平台共同支撐著全球數碼基礎設施的龐大部分。
據BleepingComputer報導,CISA已將相關漏洞加入其「已知被利用漏洞」目錄——該目錄收錄被該機構認為構成特別嚴重風險的安全漏洞。被列入KEV目錄意義重大:雖然根據《約束性操作指令22-01》,這僅正式要求美國聯邦民用機構進行修補,但全球安全界普遍將此清單視為需要立即關注的高優先級威脅的權威參考。
具體的CVE標識符及受影響的軟件版本,可在CISA官方KEV目錄中查閱。
龐大的攻擊面
此公告尤其令人擔憂的原因在於其潛在影響的規模。基於Linux的系統驅動著全球大部分的雲端運算基礎設施、企業伺服器、嵌入式設備及物聯網部署。Android系統建立在修改版的Linux內核之上,佔據全球智能手機市場主導地位,擁有數十億活躍設備。這些平台中的漏洞實際上構成了一個龐大的攻擊面,範圍從消費電子產品延伸至關鍵國家基礎設施。
雖然CISA的公告未指明利用活動背後的具體威脅行為者,但「野外積極利用」意味著,已觀察到利用這些漏洞的惡意代碼出現在真實世界的攻擊中,而非僅存在於理論或實驗室環境。因此,運行受影響版本的組織被敦促評估其風險暴露情況,並毫不拖延地應用修補程式。
開源風險認知的轉變
此次事件為越來越多的證據增添了新的例證,這些證據挑戰了「開源軟件因其透明性而本質上更安全」這一長期存在的假設。儘管「多雙眼睛」理論——即公開可審計的代碼能更快發現並修復缺陷——長期以來一直是開源哲學的支柱,但老練的威脅行為者已日益將注意力轉向廣泛部署的開源組件,原因正是攻破一個單一且被廣泛使用的程式庫或內核,可以同時獲取對數百萬系統的訪問權限。
近年來發生的高知名度供應鏈攻擊和內核級漏洞利用,已迫使業界重新評估開源安全性的衡量方式。關注點已從開源代碼是否包含漏洞(所有軟件都會有),轉向圍繞這些項目的生態系統是否具備足夠的資源和流程,以快速偵測、修補並分發修復程式,從而跑在對手前面。
組織應採取的措施
CISA在KEV目錄更新後的標準指引十分明確:確定您環境中是否有任何系統運行受影響的Linux內核或Android版本,根據暴露程度和關鍵性優先進行修補,並在無法立即修補時實施網絡層級的緩解措施,例如分段隔離和增強監控。
對於IT管理員和安全團隊而言,此公告是一個及時的提醒,要求維護全面的資產清單——您無法修補您不知道自己正在運行的東西。它也強調了訂閱漏洞披露動態並維持嚴謹的修補管理週期的重要性,尤其針對操作系統內核等基礎組件。
隨著消費者與企業平台之間的界限持續模糊——Android設備日益應用於商業場景,Linux工作負載在雲端環境中不斷擴展——「消費者漏洞」與「企業漏洞」之間的區別正變得越來越模糊。Linux內核中的一個缺陷,在實踐中等同於全球相當一部分計算基礎設施的缺陷,並應依此對待。