CISA Adds Three Exploited Vulnerabilities to Known Catalog

These vulnerabilities, all of which have been actively exploited, include two related to Draytek VigorConnect devices and one affecting Kingsoft WPS Office.

CISA Adds Three Exploited Vulnerabilities to Known Catalog
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 3, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities Catalog, flagging three new vulnerabilities that pose significant risks to federal networks. These vulnerabilities, all of which have been actively exploited, include two related to Draytek VigorConnect devices and one affecting Kingsoft WPS Office.

CISA's Known Exploited Vulnerabilities Catalog, established under the Binding Operational Directive (BOD) 22-01, serves as a living document of active threats. The catalog, updated regularly, is a crucial part of U.S. federal cybersecurity defense, ensuring agencies prioritize the remediation of dangerous vulnerabilities before they can cause damage.

Report Overview

These vulnerabilities, primarily targeting popular software used across federal agencies, were identified through evidence of active exploitation. Both Draytek VigorConnect and Kingsoft WPS Office vulnerabilities allow malicious actors to exploit path traversal flaws, potentially enabling unauthorized access to sensitive data. Attackers can leverage these vulnerabilities to manipulate files, escalate privileges, and move laterally within a network, making them valuable assets in the arsenal of cybercriminals.

Technical Breakdown:

  • CVE-2021-20123 & CVE-2021-20124 (Draytek VigorConnect): The vulnerabilities in Draytek’s VigorConnect stem from improper validation of input data, leading to path traversal attacks. Cyber actors can exploit this flaw to bypass security controls and gain unauthorized access to directories and files outside the application's designated root directory.
  • CVE-2024-7262 (Kingsoft WPS Office): This vulnerability also involves path traversal, allowing attackers to manipulate file paths and gain access to system-critical files. Once compromised, the attackers could deploy malware or steal sensitive information from affected systems.

Insights and Analysis

The exploitation of these vulnerabilities presents a severe risk to affected organizations, especially in government and enterprise environments that rely on these software products. Federal Civilian Executive Branch (FCEB) agencies, in particular, are required to address these vulnerabilities under BOD 22-01. The urgency of mitigation is underscored by the potential for data breaches, system downtime, and the exfiltration of sensitive government information.

While BOD 22-01 applies directly to federal agencies, CISA strongly encourages private organizations to follow suit. Organizations with unpatched Draytek VigorConnect devices or Kingsoft WPS Office installations are at risk of falling victim to attacks leveraging these vulnerabilities.

Recommendations:

  1. Patch immediately: Apply the necessary updates or mitigations as soon as possible.
  2. Review vulnerability management practices: Ensure that known vulnerabilities are prioritized and addressed systematically.
  3. Monitor for indicators of compromise (IOCs): Be vigilant for any signs of unauthorized access or data manipulation that may indicate exploitation of these vulnerabilities.

The addition of these three vulnerabilities to the Known Exploited Vulnerabilities Catalog signals the ongoing need for vigilance in addressing security gaps. As cyber actors continue to exploit known weaknesses, organizations must prioritize vulnerability management to reduce their exposure to attacks. For more details on BOD 22-01 and the Known Exploited Vulnerabilities Catalog, visit CISA’s official website.

Indicators of Compromise (IOCs)

No specific Indicators of Compromise (IOCs) were provided in the source material.

MITRE ATT&CK Techniques

TacticTechniqueIDDescription
Defense EvasionHijack Execution Flow: Path InterceptionT1574.001Attackers exploit path traversal to manipulate system-critical paths.
DiscoveryNetwork SniffingT1040Gaining unauthorized access to sensitive network traffic.
Credential AccessValid AccountsT1078Use of legitimate credentials to maintain access and move laterally.

References

CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
CVE Website
CVE Website
CVE Website