CISA Adds Nine Exploited Vulnerabilities to KEV Catalog Over Two Days

n September 17 and 18, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added nine vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

CISA Adds Nine Exploited Vulnerabilities to KEV Catalog Over Two Days
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 17 and 18, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added nine vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. These vulnerabilities, spanning various platforms and software, highlight significant risks to federal agencies and other organizations.

Report Overview

September 17, 2024:
CISA added four Adobe Flash Player vulnerabilities to the KEV catalog:

  • CVE-2014-0497: An integer underflow vulnerability in Adobe Flash Player that could allow for arbitrary code execution.
  • CVE-2013-0643: A permissions vulnerability in Adobe Flash Player with incorrect default permissions, facilitating exploitation.
  • CVE-2013-0648: An additional code execution vulnerability within Adobe Flash Player.
  • CVE-2014-0502: A double-free vulnerability in Adobe Flash Player, leading to potential remote code execution.

September 18, 2024:
Five more vulnerabilities, spanning multiple vendors, were included:

  • CVE-2024-27348: An improper access control vulnerability in Apache HugeGraph-Server.
  • CVE-2020-0618: A remote code execution vulnerability in Microsoft SQL Server Reporting Services.
  • CVE-2019-1069: A privilege escalation vulnerability in Microsoft Windows Task Scheduler.
  • CVE-2022-21445: A remote code execution vulnerability in Oracle JDeveloper.
  • CVE-2020-14644: A remote code execution vulnerability in Oracle WebLogic Server.

Insights and Analysis

These vulnerabilities are actively exploited in the wild and pose significant risks, especially to federal networks. Given the wide range of platforms and applications impacted, organizations beyond the U.S. Federal Civilian Executive Branch (FCEB) are at risk. In particular, vulnerabilities like remote code execution can allow attackers to gain full control of a system, and privilege escalation vulnerabilities can enable them to move laterally within networks.

In line with Binding Operational Directive (BOD) 22-01, FCEB agencies are required to remediate these vulnerabilities by a specified deadline to reduce risks to their networks. While BOD 22-01 is directed at federal agencies, CISA urges all organizations to prioritize patching these vulnerabilities as part of their broader cybersecurity strategy.

For detailed mitigation recommendations, organizations can reference the BOD 22-01 Fact Sheet. CISA emphasizes that timely patching of vulnerabilities is essential for reducing the risk of exploitation and preventing significant damage from potential cyberattacks.

These nine newly added vulnerabilities serve as a reminder of the ever-present threat posed by malicious actors targeting well-known software and services. Organizations are encouraged to continuously assess their vulnerability management practices, prioritize the remediation of known exploited vulnerabilities, and take proactive measures to secure their networks. CISA will continue to monitor and update the KEV catalog as new information becomes available.

For further details, consult CISA’s Known Exploited Vulnerabilities Catalog or visit their official website.

References

CISA Adds Five Known Exploited Vulnerabilities to Catalog | CISA
CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA