The agency called on government agencies to urgently update the software to avoid devastating cyber attacks.
The U.S. Cybersecurity and Infrastructure Protection Agency (CISA) has updated its Known Exploited Vulnerability (KEV) catalog to include 6 vulnerabilities affecting Apple, Adobe, Apache, D-Link, and Joomla products.
The KEV directory contains information about security issues that are actively used by attackers. The service is very important for organizations around the world in the process of vulnerability management and prioritization. Such vulnerabilities are often used by attackers for attacks and pose significant risks to federal agencies.
CISA has set a deadline of January 29 to eliminate six actively exploited vulnerabilities or stop using vulnerable products. The list includes the following disadvantages:
Some of these bugs were exploited in recently disclosed attacks. For example, CVE-2023-41990 has been used in the Operation Triangulation campaign since 2019, discovered in June 2023 by Kaspersky Lab.
CISA encouraged organizations and federal agencies to check their systems for the above and other vulnerabilities listed in the KEV catalog and apply available security updates or mitigation steps.
The U.S. Cybersecurity and Infrastructure Protection Agency (CISA) has updated its Known Exploited Vulnerability (KEV) catalog to include 6 vulnerabilities affecting Apple, Adobe, Apache, D-Link, and Joomla products.
The KEV directory contains information about security issues that are actively used by attackers. The service is very important for organizations around the world in the process of vulnerability management and prioritization. Such vulnerabilities are often used by attackers for attacks and pose significant risks to federal agencies.
CISA has set a deadline of January 29 to eliminate six actively exploited vulnerabilities or stop using vulnerable products. The list includes the following disadvantages:
- CVE-2023-27524 (CVSS score: 9.8) - insecure resource initialization in Apache Superset versions prior to 2.0.1. The vulnerability occurs when the default SECRET_KEY setting is not changed, which allows an attacker to authenticate and gain unauthorized access to resources;
- CVE-2023-23752 (CVSS score: 5.3) - Incorrect Joomla Access check! versions 4.0.0 to 4.2.7, which allows unauthorized access to web service endpoints.
- CVE-2023-41990 (CVSS score: 7.8) – Remote Code Execution (RCE) vulnerability when processing a font file sent as an iMessage attachment, which leads to arbitrary code execution on Apple iPhone devices running on iOS 16.2 and earlier.
- CVE-2023-38203 (CVSS score: 9.8) and CVE-2023-29300 (CVSS score: 9.8) – Deserialization of untrusted data in Adobe ColdFusion, which leads to arbitrary code execution without user interaction.
- CVE-2016-20017 (CVSS score: 9.8) - a remote command injection vulnerability without authentication in D-Link DSL-2750B devices prior to version 1.05, which was actively exploited from 2016 to 2022.
Some of these bugs were exploited in recently disclosed attacks. For example, CVE-2023-41990 has been used in the Operation Triangulation campaign since 2019, discovered in June 2023 by Kaspersky Lab.
CISA encouraged organizations and federal agencies to check their systems for the above and other vulnerabilities listed in the KEV catalog and apply available security updates or mitigation steps.
