USAcyber securityand the Infrastructure Security Agency (CISA(ii) Where it is known to have been utilized in practiceloopholes(KEV) catalog has added six new security vulnerabilities due to evidence that they are being actively exploited.
Among them are:
- CVE-2023-27524 (CVSS score: 8.9): This high-risk vulnerability affects the open source data visualization software Apache Superset and allows an attacker to remotely execute code. The vulnerability has been fixed in version 2.1. Information about the vulnerability was first disclosed in April 2023, and Horizon3.ai's Naveen Sunkavally described it as "a dangerous default configuration in Apache Superset that allows unauthenticated attackers to remotely execute code, steal credentials, and corrupt data ". It is unclear how the vulnerability is being exploited in the wild.
- CVE-2023-38203 (CVSS score: 9.8): Adobe ColdFusion deserialization untrusted data vulnerability.
- CVE-2023-29300 (CVSS score: 9.8): Adobe ColdFusion deserialization untrusted data vulnerability.
- CVE-2023-41990 (CVSS score: 7.8): Code execution vulnerabilities in several Apple products.
- CVE-2016-20017 (CVSS score: 9.8): D-Link DSL-2750B devicecommand injectionVulnerability.
- CVE-2023-23752 (CVSS score: 5.3)Improper access control vulnerability.
Notably, the CVE-2023-41990 vulnerability has been fixed by Apple in iOS 15.7.8 and iOS 16.3, but has been exploited by unknown attackers (via a crafted iMessage PDF attachment) in a "triangulation" spyware attack.remote code execution.
CISA recommends that Federal Civilian Executive Branch (FCEB) agencies apply fixes for the above vulnerabilities by January 29, 2024 to protect their networks from active threats.
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/cisa-updates-kev-catalog-with-6-vulnerabilities-html