The U.S. Cybersecurity & Infrastructure Security Agency has added three security vulnerabilities to its 'Known Exploited Vulnerabilities' catalog, one impacting Google Chrome and two affecting some D-Link routers.
Adding the issues to the KEV catalog serves as a warning to federal agencies and companies that threat actors are leveraging them in attacks and security updates or mitigations should be applied.
Federal agencies in the U.S. have until June 6th to replace affected devices or implement defenses that reduce or eliminate the risk of an attack.
The vulnerability in Google Chrome, tracked as CVE-2024-4761, has been confirmed by the vendor as actively exploited on May 13th but no technical details is currently publicly available.
It is described as an out of bounds write vulnerability in Chrome's V8 JavaScript engine that executes JS code in the browser and its severity rating is high.
Two days after disclosing CVE-2024-4761 Google announced that another vulnerability in Chrome's V8 engine has been exploited in the wild, but CISA has yet to add it to the KEV catalog.
CISA is also warning that a ten-year old vulnerability impacting D-Link DIR-600 routers is still being exploited.
It allows attackers to hijack administrator authentication requests to the device's web admin panel, create their own admin accounts, change the configuration, and take control of the device.
Although D-Link DIR-600 routers have reached end-of-life four years before being discovered, the vendor released a fix at the time in firmware version 2.17b02 along with a security bulletin containing mitigation recommendations.
Another bug affecting D-Link products has also been added recently to the KEV catalog.
It is identified as CVE-2021-40655 and affects D-Link DIR-605 routers that have been out of support since 2015.
A proof-of-concept exploit for the flaw was released on GitHub in 2021.
CISA has not provided any background information about the two D-Link flaws and it is unclear who exploited them or when the agency recorded the attacks.
Older vulnerabilities are typically leveraged by botnet malware that incorporate large lists of exploitable security issues with no regard to the type of device or age of the issue.
In the case of D-Link 600 and 605, it is recommended to replace the device with newer models that the vendor still supports with performance and security updates.
Google Chrome emergency update fixes 6th zero-day exploited in 2024.
Google fixes fifth Chrome zero-day exploited in attacks this year.
Google fixes third actively exploited Chrome zero-day in a week.
PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers.
CISA urges software devs to weed out path traversal vulnerabilities.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 19 May 2024 17:50:06 +0000