The United States Cybersecurity and Infrastructure Security Agency (CISA) has added five new security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, after discovering evidence of active exploitation. These vulnerabilities affect software from prominent companies including Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold.
The list of newly added vulnerabilities is as follows:
- CVE-2023-20118 (CVSS score: 6.5) – This command injection vulnerability affects the web-based management interface of Cisco Small Business RV Series routers. It allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data. This vulnerability remains unpatched due to the routers having reached their end-of-life status.
- CVE-2022-43939 (CVSS score: 8.6) – An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that arises from the use of non-canonical URL paths for authorization decisions. This vulnerability was fixed in August 2024 with the release of versions 9.3.0.2 and 9.4.0.1.
- CVE-2022-43769 (CVSS score: 8.8) – A special element injection vulnerability in Hitachi Vantara Pentaho BA Server that allows an attacker to inject Spring templates into properties files, resulting in arbitrary command execution. This vulnerability was also fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1.
- CVE-2018-8639 (CVSS score: 7.8) – An improper resource shutdown or release vulnerability in Microsoft Windows Win32k, allowing for local, authenticated privilege escalation and running arbitrary code in kernel mode. This vulnerability was fixed in December 2018.
- CVE-2024-4885 (CVSS score: 9.8) – A path traversal vulnerability in Progress WhatsUp Gold that enables an unauthenticated attacker to achieve remote code execution. This vulnerability was fixed in version 2023.1.3 in June 2024.
While there is limited information on how some of these vulnerabilities are being exploited in the wild, the French cybersecurity company Sekoia has recently reported that threat actors are abusing CVE-2023-20118 to recruit susceptible routers into a botnet known as PolarEdge.
Regarding CVE-2024-4885, the Shadowserver Foundation has observed exploitation attempts targeting this vulnerability as of August 1, 2024. Data from GreyNoise indicates that at least eight unique IP addresses from various countries, including Hong Kong, Russia, Brazil, South Korea, and the United Kingdom, are linked to the malicious exploitation of this vulnerability.
Given the active exploitation of these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by March 24, 2025, to secure their networks.
