Introduction
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified and added five critical security vulnerabilities affecting Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities have been flagged due to active exploitation, posing significant security risks to affected systems. Organizations using these software solutions must act promptly to mitigate potential threats and protect their infrastructure.
Overview of Exploited Vulnerabilities
CISA’s latest update includes the following vulnerabilities:
CVE-2023-20118 (CVSS score: 6.5) – A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers. An authenticated, remote attacker can exploit this flaw to gain root-level privileges and access unauthorized data. This issue remains unpatched, as these routers have reached end-of-life status.
CVE-2022-43939 (CVSS score: 8.6) – An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server, arising from the use of non-canonical URL paths for authorization decisions. This flaw was addressed in August 2024 with the release of versions 9.3.0.2 and 9.4.0.1.
CVE-2022-43769 (CVSS score: 8.8) – A special element injection vulnerability in Hitachi Vantara Pentaho BA Server that enables attackers to inject Spring templates into properties files, allowing for arbitrary command execution. Like the previous vulnerability, this issue was resolved in August 2024 with versions 9.3.0.2 and 9.4.0.1.
CVE-2018-8639 (CVSS score: 7.8) – A resource management flaw in Microsoft Windows Win32k that permits local, authenticated privilege escalation and arbitrary code execution in kernel mode. This vulnerability was fixed in December 2018, yet it remains actively exploited by threat actors.
CVE-2024-4885 (CVSS score: 9.8) – A path traversal vulnerability in Progress WhatsUp Gold that allows unauthenticated attackers to achieve remote code execution. This critical vulnerability was addressed in version 2023.1.3, released in June 2024.
Evidence of Exploitation in the Wild
While specific details on the widespread use of some of these vulnerabilities remain limited, cybersecurity firms have confirmed active exploitation of certain flaws. French cybersecurity company Sekoia recently reported that threat actors are leveraging CVE-2023-20118 to enlist vulnerable routers into a botnet known as PolarEdge.
Similarly, CVE-2024-4885 has been the subject of exploitation attempts. The Shadowserver Foundation detected attacks targeting this flaw as early as August 1, 2024. Data from GreyNoise indicates that at least eight unique IP addresses originating from Hong Kong, Russia, Brazil, South Korea, and the United Kingdom have been linked to these malicious activities.
Furthermore, the exploitation of CVE-2018-8639 was documented in early 2023 by AhnLab, which attributed the attacks to a Chinese hacking group known as Dalbit (also referred to as m00nlight). The group reportedly exploited the vulnerability to escalate privileges after infiltrating South Korean networks via SQL server vulnerabilities and deploying web shells for persistence.
Call for Immediate Mitigation
In response to the active exploitation of these vulnerabilities, CISA has issued an urgent advisory for Federal Civilian Executive Branch (FCEB) agencies and other organizations to implement necessary mitigations by March 24, 2025. Prompt action is essential to prevent further exploitation and strengthen network security against potential cyber threats.
Conclusion
The inclusion of these vulnerabilities in CISA’s KEV catalog underscores the persistent threats facing organizations relying on vulnerable software. Cybercriminals continuously exploit known weaknesses to compromise systems, making timely patching and proactive security measures critical. Organizations must stay vigilant, apply the recommended updates, and strengthen their cybersecurity posture to safeguard against potential attacks.
0 Comments