U.S. Government Gives Agencies Two Weeks to Patch Four Actively Exploited Flaws
Critical security holes in Adobe ColdFusion, Langflow, and Joomla extensions are already being used by attackers. Federal agencies have until July 10 to fix them.

Key points
- CISA, the U.S. government's Cybersecurity and Infrastructure Security Agency, added four newly confirmed vulnerabilities to its official "Known Exploited Vulnerabilities" list in June 2025.
- Two flaws affect Adobe ColdFusion, software companies use to build websites and web applications, and are rated critical.
- One vulnerability affects Langflow, an open-source tool used to build artificial intelligence applications.
- Two further flaws affect extensions for the Joomla content management system, which powers millions of public-facing websites.
- All U.S. federal agencies must apply fixes by July 10, 2025.
CISA's Known Exploited Vulnerabilities catalog works like a public alarm bell. When a flaw lands on that list, it means investigators have confirmed real attackers are already using it, not just that it exists in theory. Getting on the list triggers a hard deadline for every U.S. government agency to patch.
This round adds four flaws at once.
Why should ordinary people care about software they've never heard of?
Because the software running behind websites and AI tools is often invisible to the people who depend on it. Adobe ColdFusion is a platform used by government offices, universities, and businesses to power web-based services. A critical flaw in ColdFusion, meaning one rated at the highest severity level, can let an attacker take full control of a web server without needing a password. Two such flaws are now confirmed exploited in the wild.
Langflow is newer and less widely known. It is an open-source tool that developers use to build AI-powered applications by connecting different components together visually. A critical vulnerability there, tracked as CVE-2025-3248, lets an unauthenticated attacker, meaning someone with no account or login at all, run arbitrary code on the server. That is about as bad as it gets.
The Joomla flaws are a different flavour of danger. Joomla is one of the most popular content management systems in the world. Two vulnerable extensions, add-on pieces of software that extend what Joomla can do, are now confirmed exploited. Attackers targeting Joomla sites often look for customer data, login credentials, or a foothold to plant further malicious code.
For anyone who runs a website built on Joomla, or whose organisation uses ColdFusion-powered systems or Langflow-based AI tools, the message from CISA is unambiguous: patch now, not after the July 10 federal deadline.
If you are a customer or user of services you suspect run these platforms, watch for unusual account activity and be cautious of any password-reset emails you did not request. Phishing emails, where criminals send fake messages designed to steal your login details, often follow close behind major vulnerability disclosures because attackers know organisations are scrambling and staff are distracted.
First reported by SecurityWeek, the additions bring renewed attention to how quickly critical flaws move from disclosure to active exploitation. The window between a patch becoming available and attackers using the underlying flaw is shrinking. Organisations that treat patching as a low-priority housekeeping task are increasingly the ones making headlines for the wrong reasons.



