On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog with three critical security flaws, highlighting their active exploitation in the wild. The vulnerabilities now included are CVE-2023-48788, CVE-2021-44529, and CVE-2019-7256, which pose significant risks to users of affected systems.
Among these, CVE-2023-48788, which affects Fortinet’s FortiClient EMS, has been assigned a CVSS score of 9.3. This SQL injection vulnerability allows unauthorized users to execute commands via specially crafted requests, raising serious concerns about system integrity. Fortinet has acknowledged this flaw’s exploitation following its recent disclosure, but specifics regarding the attacks remain undisclosed.
The second vulnerability, CVE-2021-44529, impacts the Ivanti Endpoint Manager Cloud Service Appliance. Rated at a CVSS score of 9.8, this code injection flaw enables unauthenticated users to run malicious code with limited permissions, thereby compromising endpoint security. Research by security expert Ron Bowes suggests this flaw may have originated from an intentional backdoor in the defunct open-source project csrf-magic, with the vulnerability existing since at least 2014 before its resolution in late 2021.
Finally, CVE-2019-7256 carries a critical CVSS score of 10.0 and permits remote code execution on Nice Linear eMerge E3-Series access controllers. Attackers have been exploiting this vulnerability since at least February 2020. This issue was previously disclosed by security researcher Gjoko Krstic in May 2019, before being formally addressed by Nice—formerly Nortek—earlier this month along with 11 other vulnerabilities.
In light of the newfound evidence regarding these security flaws, federal agencies are mandated to implement mitigations from vendors by April 15, 2024. Furthermore, this update coincides with a joint alert from CISA and the Federal Bureau of Investigation (FBI) calling on software manufacturers to address and mitigate SQL injection vulnerabilities across the board.
The advisory emphasized the troubling trend of SQL injection flaws continuing to emerge despite two decades of awareness and the existence of effective protective measures. The exploitation of vulnerabilities like CVE-2023-34362, a recent critical SQL injection flaw in Progress Software’s MOVEit Transfer platform, further underscores the need for robust security practices.
To mitigate risks associated with SQL injection vulnerabilities, the advisory recommended employing parameterized queries with prepared statements to distinctly separate SQL code from user-supplied data, ensuring harmful inputs are not interpreted as executable commands.
As cybersecurity threats continue to evolve, business owners must remain vigilant. By understanding the MITRE ATT&CK framework, including tactics such as initial access and privilege escalation, organizations can better prepare their defenses against potential attacks.
Being aware of these recent vulnerabilities and their implications is crucial for safeguarding sensitive data and minimizing risks associated with cyber threats.
