us.-cybersecurity-agency-cisa-adds-three-new-vulnerabilities-in-kev-catalog

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog

Feb 22, 2023Ravie LakshmananCyber Risk / Patch Management

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The list of shortcomings is as follows –

  • CVE-2022-47986 (CVSS score: 9.8) – IBM Aspera Faspex Code Execution Vulnerability
  • CVE-2022-41223 (CVSS score: 6.8) – Mitel MiVoice Connect Code Injection Vulnerability
  • CVE-2022-40765 (CVSS score: 6.8) – Mitel MiVoice Connect Command Injection Vulnerability

CVE-2022-47986 is described as a YAML deserialization flaw in the file transfer solution that could allow a remote attacker to execute code on the system.

Details of the flaw and a proof-of-concept (PoC) were shared by Assetnote on February 2, a day after which the Shadowserver Foundation said it “picked up exploitation attempts” in the wild.

The active exploitation of the Aspera Faspex flaw comes shortly after a vulnerability in Fortra’s GoAnywhere MFT-managed file transfer software (CVE-2023-0669) was abused by threat actors with potential links to the Clop ransomware operation.

CISA also added two flaws impacting Mitel MiVoice Connect (CVE-2022-41223 and CVE-2022-40765) that could permit an authenticated attacker with internal network access to execute arbitrary code.

Exact specifics surrounding the nature of the attacks are unclear, but another flaw in MiVoice Connect was exploited last year to deploy ransomware. The vulnerabilities were patched by Mitel in October 2022.

In light of in-the-wild exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates by March 14, 2023, to secure networks against potential threats.

CISA, in a related development, also released an Industrial Control Systems (ICS) advisory that touches upon critical flaws (CVE-2022-26377 and CVE-2022-31813) in Mitsubishi Electric’s MELSOFT iQ AppPortal.

“Successful exploitation of these vulnerabilities could allow a malicious attacker to make unidentified impacts such as authentication bypass, information disclosure, denial-of-service, or bypass IP address authentication,” the agency said.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…