The United States Cybersecurity and Infrastructure Security Agency (CISA) has added two security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities affect Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS), and there is evidence that they are being actively exploited.
The vulnerabilities in question are:
- CVE-2024-49035 (CVSS score: 8.7) – This is an improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. It was fixed in November 2024.
- CVE-2023-34192 (CVSS score: 9.0) – This is a cross-site scripting (XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. It was fixed in July 2023 with version 8.8.15 Patch 40.
Microsoft previously acknowledged that CVE-2024-49035 had been exploited in the wild, but did not provide further details on how it was used in real-world attacks. There are currently no public reports of in-the-wild abuse of CVE-2023-34192.
As a result of this development, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates by March 18, 2025, to secure their networks.
This update comes a day after CISA added two security flaws affecting Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
