On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five security vulnerabilities affecting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that these flaws are currently being actively exploited.
The vulnerabilities listed are:
CVE-2023-20118 (CVSS score: 6.5): A command injection flaw in the web-based management interface of Cisco Small Business RV Series routers. This vulnerability enables an authenticated, remote attacker to gain root privileges and access unauthorized data. The routers are unpatched due to reaching end-of-life status.
CVE-2022-43939 (CVSS score: 8.6): An authorization bypass vulnerability found in Hitachi Vantara Pentaho BA Server, caused by non-canonical URL paths being used for authorization decisions. This issue was fixed in August 2024 with updates to versions 9.3.0.2 and 9.4.0.1.
CVE-2022-43769 (CVSS score: 8.8): A special element injection vulnerability in Hitachi Vantara Pentaho BA Server. This flaw allows attackers to inject Spring templates into properties files, enabling arbitrary command execution. This issue was also addressed in August 2024 with updates to versions 9.3.0.2 and 9.4.0.1.
CVE-2018-8639 (CVSS score: 7.8): An improper resource shutdown or release vulnerability in Microsoft Windows Win32k, which enables local, authenticated privilege escalation and execution of arbitrary code in kernel mode. This vulnerability was resolved in December 2018.
CVE-2024-4885 (CVSS score: 9.8): A path traversal vulnerability in Progress WhatsUp Gold, which allows an unauthenticated attacker to execute remote code. This flaw is fixed in version 2023.1.3, due for release in June 2024.
Though there are limited reports on how these vulnerabilities are being actively exploited, French cybersecurity firm Sekoia disclosed last week that attackers are leveraging CVE-2023-20118 to incorporate vulnerable routers into a botnet known as PolarEdge.
Regarding CVE-2024-4885, the Shadowserver Foundation reported that exploitation attempts were observed beginning August 1, 2024. According to data from GreyNoise, up to eight unique IP addresses located in Hong Kong, Russia, Brazil, South Korea, and the United Kingdom have been identified as being linked to the malicious exploitation of this vulnerability.
Given the ongoing exploitation of these vulnerabilities, the Federal Civilian Executive Branch (FCEB) agencies are advised to implement the necessary mitigation measures by March 24, 2025, to protect their networks.
