The United States Cybersecurity and Infrastructure Security Agency (CISA) has recently added two security vulnerabilities to its catalog of Known Exploited Vulnerabilities (KEV), which affect Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM), due to evidence of active exploitation.
The vulnerabilities in question are:
- CVE-2017-3066 (CVSS score: 9.8) – This is a deserialization vulnerability in the Apache BlazeDS library that affects Adobe ColdFusion, allowing for arbitrary code execution. A fix for this vulnerability was released in April 2017.
- CVE-2024-20953 (CVSS score: 8.8) – This is a deserialization vulnerability that affects Oracle Agile PLM, allowing a low-privileged attacker with network access via HTTP to compromise the system. A fix for this vulnerability was released in January 2024.
Although there are currently no public reports of these vulnerabilities being exploited, another vulnerability affecting Oracle Agile PLM (CVE-2024-21287, CVSS score: 7.5) was actively exploited late last year.
To mitigate the risks posed by potential attacks using these vulnerabilities, it is recommended that users apply the necessary updates. Federal agencies have until March 17, 2025, to secure their networks against these threats.
This development comes as threat intelligence firm GreyNoise revealed active exploitation attempts targeting CVE-2023-20198, a now-patched security flaw affecting vulnerable Cisco devices.
As many as 110 malicious IPs, mainly originating from Bulgaria, Brazil, and Singapore, have been linked to the malicious activity.
“Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the United States — the same period when Salt Typhoon, a Chinese state-sponsored threat group, reportedly breached telecom networks using CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Research Team said.
