Critical Vulnerabilities in Android and Novi Survey Under Ongoing Exploitation
April 14, 2023
Mobile Security / Cyber Threat
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence. The vulnerabilities include:
- CVE-2023-20963 (CVSS score: 7.8) – Android Framework Privilege Escalation Vulnerability
- CVE-2023-29492 (CVSS score: TBD) – Novi Survey Insecure Deserialization Vulnerability
CISA’s advisory for CVE-2023-20963 notes that the Android Framework contains an unspecified vulnerability that enables privilege escalation when an app is updated to a higher Target SDK without requiring additional execution privileges. Google acknowledged in its March 2023 Android Security Bulletin that there are signs of limited, targeted exploitation of CVE-2023-20963. This revelation follows a report from Ars Technica that Android apps digitally signed by a Chinese e-commerce entity may be affected.
Mobile Security / Cyber Threat
Active Exploitation of Critical Android and Novi Survey Vulnerabilities On April 14, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the inclusion of two severe vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities have been confirmed…