CISA Urges Government to Patch Exploited Cisco, Microsoft Flaws

A leading US security agency has ordered federal government bodies to patch five vulnerabilities it claims are being actively exploited by threat actors.

The latest additions to the CISA Known Exploited Vulnerabilities (KEV) catalog include CVE-2023-20118, a command injection vulnerability in the web-based management interface of multiple Cisco Small Business RV Series routers.

“Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data,” said CISA yesterday.

CVE-2018-8639 is an improper resource shutdown or release vulnerability in Microsoft Windows Win32k which enables local, authenticated privilege escalation.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” CISA warned.

Read more on KEV: UK Lags Europe on Exploited Vulnerability Remediation

The three remaining CVEs added to the KEV catalog are:

• CVE-2022-43939: A server authorization bypass vulnerability in Hitachi Vantara Pentaho BA (business analytics) servers
• CVE-2022-43769: A special element injection vulnerability in Hitachi Vantara Pentaho BA servers
• CVE-2024-4885: A path traversal vulnerability in Progress WhatsUp Gold network monitoring software

There’s little additional information about how the above are being exploited in the wild, although it’s not unusual for threat actors to revisit legacy CVEs which may have been passed over by patch management programs, such as the Win32k bug from 2018.

In the case of all vulnerabilities, CISA recommends the following: “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Federal civilian agencies have until March 24 to patch the above CVEs.

Image credit: JHVEPhoto / Shutterstock.com