The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding several critical vulnerabilities that pose significant risks to both public and private sectors. The latest additions include flaws in Microsoft Windows and Rejetto HTTP File Server, which have been identified as high-priority threats.
Newly Added Vulnerabilities
The newly added vulnerabilities are:
- CVE-2024-23692: This vulnerability, with a CVSS score of 9.8, affects Rejetto HTTP File Server up to version 2.3m. It is a template injection flaw that allows remote, unauthenticated attackers to execute arbitrary commands on the affected system by sending specially crafted HTTP requests.
- CVE-2024-38080: With a CVSS score of 7.8, this elevation of privilege vulnerability impacts Windows Hyper-V. Successful exploitation could enable attackers to gain SYSTEM privileges.
- CVE-2024-38112: This Windows MSHTML Platform Spoofing Vulnerability has a CVSS score of 7.5. Exploiting this flaw requires attackers to take additional preparatory actions before sending a malicious file to victims, who would then need to execute it.
The inclusion of these vulnerabilities in the KEV catalog underscores their potential for exploitation and the urgency for remediation.
Implications for Federal and Private Sectors
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are mandated to address these vulnerabilities by the specified due date to safeguard their networks. CISA has set a deadline of July 30, 2024, for federal agencies to fix these vulnerabilities.
Private organizations are also strongly advised to review the KEV catalog and address these vulnerabilities within their infrastructure. Failure to do so could leave critical systems exposed to potential attacks, leading to severe operational disruptions and data breaches.
Recent Additions and Expert Recommendations
Last week, CISA added another critical vulnerability to its KEV catalog: the Cisco NX-OS Command Injection Vulnerability (CVE-2024-20399). This addition highlights the ongoing efforts by CISA to keep the KEV catalog updated with the most pressing cybersecurity threats.
Cybersecurity experts recommend that both public and private entities prioritize the remediation of these vulnerabilities. Regularly updating security protocols and conducting thorough vulnerability assessments can significantly reduce the risk of exploitation.
For more updates on cybersecurity threats and best practices, follow Pierluigi Paganini on Twitter: @securityaffairs, Facebook, and Mastodon.