On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog, adding five notable security flaws affecting widely used software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold. This update underscores the urgent need for organizations to address vulnerabilities that have been actively exploited in the wild.
The newly identified vulnerabilities present significant risks. One of the most critical is CVE-2023-20118, which affects Cisco Small Business RV Series routers. This command injection vulnerability permits an authenticated remote attack to elevate privileges to root level, thereby gaining unauthorized access to sensitive data. Notably, this issue remains unpatched due to the end-of-life status of these routers, leaving them susceptible to threats.
CVE-2022-43939 and CVE-2022-43769 are vulnerabilities related to Hitachi Vantara’s Pentaho BA Server. The former allows for an authorization bypass due to the use of non-canonical URL paths, while the latter facilitates special element injection, enabling attackers to execute arbitrary commands through injected Spring templates. Both vulnerabilities were addressed in versions released in August 2024, highlighting the importance of keeping software up to date.
Furthermore, CVE-2018-8639, an improper resource shutdown issue in Microsoft Windows, poses a serious threat as it allows local privilege escalation for authenticated users. This vulnerability was notably fixed in December 2018 but continues to be of concern due to its exploitation in targeted attacks. Evidence points to its use by a Chinese hacking group known as Dalbit, who leveraged the flaw for unauthorized access after breaching South Korean networks.
Recently reported exploitation attempts have also emerged regarding CVE-2024-4885, a path traversal vulnerability in Progress WhatsUp Gold. This flaw lets unauthenticated attackers execute remote code, presenting a substantial risk to networks. The Shadowserver Foundation noted activity suggesting exploitation attempts began on August 1, 2024, involving various identifiable IP addresses from multiple countries, including Hong Kong and Russia.
In light of these vulnerabilities, it is crucial for businesses, especially those in the Federal Civilian Executive Branch, to implement mitigative measures by March 24, 2025. Failure to do so could expose organizations to various attack vectors, including techniques related to initial access, privilege escalation, and persistence as outlined in the MITRE ATT&CK framework. The potential for attackers to exploit these vulnerabilities highlights the necessity for vigilant cybersecurity practices and rapid response to identified threats.
While there remains limited public information regarding the breadth of exploitation for some of these vulnerabilities, recent analyses suggest a growing trend of attacks utilizing them. Organizations must be proactive in applying patches and monitoring for signs of exploitation to safeguard their systems. The time to act is now, as cyber threats continue to evolve alongside the software we rely on.
