The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert, adding five actively exploited security vulnerabilities from Cisco, Hitachi Vantara, Microsoft, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog. These flaws are being targeted by cybercriminals, posing a serious threat to organizations.
🚨 New Exploited Vulnerabilities
Based on evidence of real-world attacks, the following vulnerabilities have been flagged:
🔹 CVE-2023-20118 (CVSS: 6.5) – A command injection flaw in the Cisco Small Business RV Series routers, allowing authenticated remote attackers to gain root privileges. 🚨 No patch available as the routers have reached end-of-life.
🔹 CVE-2022-43939 (CVSS: 8.6) – An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server, caused by improper URL path handling. ✅ Patched in August 2024 (versions 9.3.0.2 and 9.4.0.1).
🔹 CVE-2022-43769 (CVSS: 8.8) – A special element injection flaw in Hitachi Vantara Pentaho BA Server, enabling attackers to execute arbitrary commands using Spring template injection. ✅ Fixed in August 2024 (versions 9.3.0.2 and 9.4.0.1).
🔹 CVE-2018-8639 (CVSS: 7.8) – A privilege escalation flaw in Microsoft Windows Win32k, allowing local attackers to execute arbitrary code in kernel mode. ✅ Fixed in December 2018.
🔹 CVE-2024-4885 (CVSS: 9.8) – A path traversal vulnerability in Progress WhatsUp Gold, enabling remote code execution (RCE) by unauthenticated attackers. ✅ Patched in version 2023.1.3 (June 2024).
📌 How Are These Vulnerabilities Being Exploited?
While detailed exploitation reports remain limited, security researchers have linked the following attacks to these vulnerabilities:
🔹 CVE-2023-20118: Botnet Infections
- Threat actors are using this flaw to infect vulnerable routers with PolarEdge, a botnet uncovered by cybersecurity firm Sekoia.
🔹 CVE-2024-4885: Global Exploitation in Progress
- Shadowserver Foundation reported active exploitation attempts since August 1, 2024.
- GreyNoise data links eight unique IP addresses from Hong Kong, Russia, Brazil, South Korea, and the U.K. to malicious activity targeting this flaw.
🔹 CVE-2018-8639: Chinese APT Attack
- In early 2023, AhnLab attributed this Windows vulnerability to Dalbit (aka m00nlight), a Chinese hacking group.
- Attackers exploited SQL server flaws to infiltrate South Korean networks, using web shells for persistence and this vulnerability for privilege escalation.
🛡 Mitigation & Next Steps
Given the active exploitation, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches and security measures by March 24, 2025.
🔥 What You Should Do Immediately:
✅ Apply security updates for affected software.
✅ Retire end-of-life devices that cannot be patched.
✅ Monitor network activity for signs of exploitation.
✅ Implement access controls to limit exposure.
🚀 Stay Ahead of Cyber Threats
The threat landscape is evolving rapidly, with cybercriminals actively targeting unpatched vulnerabilities. Ensuring timely patching and proactive security measures is essential to protect your network from cyberattacks.
📢 Stay updated on the latest cybersecurity threats and mitigation strategies!