CISA Updates KEV Catalog with 3 New Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, all of which are subject to active exploitation. These vulnerabilities affect AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. The details of the vulnerabilities are as follows:

  • CVE-2024-54085 (CVSS score: 10.0): An authentication bypass vulnerability in the Redfish Host Interface of AMI MegaRAC SPx, which could enable a remote attacker to gain control.
  • CVE-2024-0769 (CVSS score: 5.3): A path traversal vulnerability in D-Link DIR-859 routers that facilitates privilege escalation and unauthorized control (currently unpatched).
  • CVE-2019-6693 (CVSS score: 4.2): A hard-coded cryptographic key issue in FortiOS, FortiManager, and FortiAnalyzer used for encrypting password data in CLI configurations, potentially allowing an attacker with access to the CLI configuration or backup file to decrypt sensitive information.

CISA Updates KEV Catalog with Three Critical Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog to include three significant security flaws. These vulnerabilities have been identified as actively exploited and are associated with the AMI MegaRAC SPx management interface, the D-Link DIR-859 router, and the Fortinet FortiOS system. This latest update underscores the pressing cybersecurity risks present in widely-used technologies.

One of the critical vulnerabilities listed is CVE-2024-54085, which carries a CVSS score of 10.0. This authentication bypass flaw allows attackers to exploit the Redfish Host Interface of AMI MegaRAC SPx, potentially enabling them to seize control of the system remotely. Such a breach could have serious implications for organizations relying on this firmware for server management, emphasizing the urgency for timely patch implementations.

Additionally, the vulnerability CVE-2024-0769 with a CVSS score of 5.3 pertains to a path traversal flaw within D-Link DIR-859 routers. This vulnerability paves the way for privilege escalation and unauthorized control. Notably, the issue remains unpatched, further increasing the risk for businesses that utilize these routers in their operations. The possibility of exploitation remains a critical concern, as unauthorized access could lead to a range of malicious activities.

Another vulnerability of concern is CVE-2019-6693, which has a CVSS score of 4.2. This issue relates to a hard-coded cryptographic key within the FortiOS, FortiManager, and FortiAnalyzer environments. This vulnerability could allow an attacker with access to the command-line interface (CLI) configuration or its backup file to decrypt sensitive password data. The presence of hardcoded keys is a known risk factor, as it can significantly compromise the security of critical systems.

In considering the tactics employed by potential adversaries exploiting these vulnerabilities, it is important to reference the MITRE ATT&CK framework. Techniques such as initial access via authentication bypass and privilege escalation through path traversal are central to understanding how these attacks unfold. An adversary might leverage these vulnerabilities to establish persistence within a targeted network, thereby maintaining a foothold for further malicious activity.

The inclusion of these vulnerabilities in the KEV catalog highlights the active landscape of cyber threats facing organizations today. Business owners must remain vigilant and proactive in assessing their infrastructure for these and similar vulnerabilities. Failure to address these issues can leave organizations exposed to significant data breaches and operational disruptions.

As the cybersecurity landscape continues to evolve, it is essential for businesses to stay informed about emerging vulnerabilities and implement robust security measures. The presence of these newly identified vulnerabilities in the CISA catalog serves as a critical reminder of the ongoing need for vigilance and proactive cybersecurity strategies in safeguarding sensitive data and maintaining operational integrity.

Source link

Related Posts

9% of Microsoft Entra SaaS Apps Still Vulnerable to nOAuth Exploits Two Years Post-Discovery

June 25, 2025
SaaS Security / Vulnerability

Recent findings highlight ongoing risks associated with a known security flaw in Microsoft Entra ID, which may allow malicious actors to execute account takeovers in certain software-as-a-service (SaaS) applications. Identity security firm Semperis analyzed 104 SaaS applications and discovered that nine remain vulnerable to Entra ID cross-tenant nOAuth abuse. Initially revealed by Descope in June 2023, nOAuth pertains to a flaw in the implementation of OpenID Connect (OIDC) by SaaS applications, which is an authentication layer built on OAuth for verifying user identities. This implementation flaw allows attackers to alter the mail attribute in an Entra ID account to that of a target, leveraging the app’s “Log in with Microsoft” feature to hijack the account. The attack is straightforward, exacerbated by Entra ID’s allowance for unverified email addresses, paving the way for user impersonation.

Severe RCE Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Attackers to Obtain Root Access

Jun 26, 2025
Vulnerability, Network Security

Cisco has issued updates to resolve two critical security vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that may allow unauthenticated attackers to execute arbitrary commands with root privileges. These vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, both carry a maximum CVSS score of 10.0. Here’s a detailed overview of the vulnerabilities:

  • CVE-2025-20281: A remote code execution flaw impacting Cisco ISE and ISE-PIC versions 3.3 and later, enabling an unauthenticated attacker to execute arbitrary code on the system as root.

  • CVE-2025-20282: A remote code execution vulnerability in Cisco ISE and ISE-PIC version 3.4 that allows an unauthenticated attacker to upload arbitrary files to the device and execute them as root.

Cisco has indicated that CVE-2025-20281 stems from inadequate…

Major Vulnerability in Open VSX Registry Poses Supply Chain Risks for Millions of Developers

On June 26, 2025, cybersecurity analysts revealed a serious flaw in the Open VSX Registry (“open-vsx[.]org”), which, if exploited, could allow attackers to seize control of the entire Visual Studio Code extensions marketplace. This represents a significant supply chain threat. “This vulnerability gives attackers total authority over the extensions marketplace and, consequently, over millions of developer machines,” stated Oren Yomtov, a researcher at Koi Security. “By leveraging a CI issue, a malicious actor could release harmful updates to every extension available on Open VSX.” After responsibly disclosing the issue on May 4, 2025, the maintainers proposed several fixes, culminating in a final patch on June 25. The Open VSX Registry, an open-source alternative to the Visual Studio Marketplace, is maintained by the Eclipse Foundation and is used by various code editors, including Cursor, Windsurf, Google Cloud Shell Editor, and Gitpod.

MOVEit Transfer Under Heightened Threat as Scanning Activity Surges and CVE Vulnerabilities Come Under Fire

Network security firm GreyNoise has reported a “notable surge” in scanning activity targeting Progress MOVEit Transfer systems since May 27, 2025, indicating that cybercriminals may be gearing up for a new mass exploitation campaign or probing for unpatched vulnerabilities. MOVEit Transfer, widely utilized by businesses and government agencies for secure file sharing, is a prime target due to its handling of sensitive data.

“Prior to this date, scanning was minimal—typically fewer than 10 IP addresses were observed daily,” the firm stated. “However, on May 27, that number skyrocketed to over 100 unique IPs, followed by 319 on May 28.” Since then, the volume of scanning IPs has remained intermittently elevated, fluctuating between 200 and 300 daily, marking a “significant deviation” from normal patterns. GreyNoise reports that as many as 682 unique IPs have been flagged in connection with this increased activity.