On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the inclusion of three significant vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog. This decision follows emerging evidence of active exploitation affecting specific target systems.
The identified vulnerabilities include: CVE-2022-47986, a code execution flaw in IBM Aspera Faspex (CVSS score: 9.8); CVE-2022-41223, a code injection vulnerability in Mitel MiVoice Connect (CVSS score: 6.8); and CVE-2022-40765, a command injection flaw within the same Mitel product (CVSS score: 6.8).
CVE-2022-47986 poses a serious risk as it involves a YAML deserialization vulnerability in a file transfer solution, enabling remote attackers to execute arbitrary code on compromised systems. Assetnote disclosed specifics about this flaw and a proof-of-concept (PoC) on February 2, shortly before the Shadowserver Foundation reported an uptick in exploitation attempts within active environments.
This heightened exploitation of the Aspera Faspex vulnerability follows closely on the heels of an incident involving Fortra’s GoAnywhere MFT-managed file transfer software, where volatile vulnerabilities were also actively leveraged by threat actors linked to the Clop ransomware operation.
CISA also raised alarms regarding the two vulnerabilities in Mitel MiVoice Connect, indicating that an authenticated attacker with access to the internal network could exploit these flaws to execute arbitrary code, furthering the need for timely protective measures. Historical context hints that one related vulnerability was previously utilized in attacks to deploy ransomware, emphasizing the urgency of addressing these threats.
The precise methodologies employed in these recent attack vectors remain somewhat opaque; however, infiltration strategies likely follow the MITRE ATT&CK framework’s tactical pathways. Potential tactics, such as initial access through spear phishing or exploitation of known vulnerable services, persistence strategies, and privilege escalation attacks, could have been in play during these incidents.
In light of these circumstances, Federal Civilian Executive Branch (FCEB) agencies are mandated to implement necessary system updates by March 14, 2023. These actions are crucial in safeguarding networks against potential intrusions exploiting these vulnerabilities.
In a related advisory, CISA has highlighted critical vulnerabilities identified in Mitsubishi Electric’s MELSOFT iQ AppPortal. The agency warns that successful exploitation could lead to consequences such as authentication bypass, information disclosure, or denial of service, underscoring the breadth of risks posed by such flaws within industrial control systems.
As the cybersecurity landscape evolves with new threats emerging, it remains imperative for organizations to stay vigilant and proactive, ensuring that they are equipped to defend against these sophisticated attack vectors.