The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified and added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting concerns over active exploitation. These vulnerabilities pose significant risks to various systems and require immediate attention from cybersecurity professionals.
The first vulnerability, CVE-2023-1389, carries a CVSS score of 8.8 and affects TP-Link Archer AX-21 routers. This command injection vulnerability could enable attackers to execute remote code. Evidence indicates that threat actors associated with the Mirai botnet have been leveraging this flaw since April 11, 2023, as reported by Trend Micro’s Zero Day Initiative.
The second flaw, CVE-2021-45046, has a CVSS score of 9.0 and relates to the widely-used Apache Log4j2 logging library. Although the specifics of its current exploitation are unclear, data from GreyNoise shows that attempts have originated from numerous unique IP addresses in recent weeks. This vulnerability is part of a series of known weaknesses that have garnered significant attention since their discovery in December 2021.
The final entry in this catalog update is CVE-2023-21839, which affects specific versions of Oracle WebLogic Server. With a CVSS score of 7.5, this vulnerability allows unauthorized access to sensitive information and was addressed in Oracle’s January 2023 security updates. CISA has flagged it for its potential to compromise systems over the T3 and IIOP protocols, allowing unauthenticated attackers network access.
While proof-of-concept exploits exist for the vulnerabilities, there are currently no widespread reports of malicious exploitation. The urgency to patch these flaws has been underscored by the requirement for Federal Civilian Executive Branch (FCEB) agencies to implement vendor fixes by May 22, 2023, in order to safeguard their networks against exploitation.
The advisory raises broader concerns about the vulnerabilities landscape, particularly following a recent report by VulnCheck, identifying nearly forty flaws believed to be actively exploited yet absent from the KEV catalog. Notably, many of these threats were attributed to botnets similar to Mirai, ransomware groups, and various other threat actors, indicating a complex and evolving threat environment.
As cybersecurity professionals assess these vulnerabilities, the MITRE ATT&CK framework serves as a valuable tool for understanding potential adversary tactics and techniques. The vulnerabilities discussed could relate to tactics such as initial access, privilege escalation, and exploitation of public-facing applications. For organizations, the imperative is clear: risk mitigation strategies must be prioritized to protect against these identified threats.
In an era where cybersecurity threats are omnipresent, remaining informed and responsive is essential for business owners. Monitoring such advisories and promptly addressing vulnerabilities is crucial to defending against potential attacks.