U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The list of shortcomings is as follows –
- CVE-2022-47986 (CVSS score: 9.8) – IBM Aspera Faspex Code Execution Vulnerability
- CVE-2022-41223 (CVSS score: 6.8) – Mitel MiVoice Connect Code Injection Vulnerability
- CVE-2022-40765 (CVSS score: 6.8) – Mitel MiVoice Connect Command Injection Vulnerability
CVE-2022-47986 is described as a YAML deserialization flaw in the file transfer solution that could allow a remote attacker to execute code on the system.
Details of the flaw and a proof-of-concept (PoC) were shared by Assetnote on February 2, a day after which the Shadowserver Foundation said it “picked up exploitation attempts” in the wild.
The active exploitation of the Aspera Faspex flaw comes shortly after a vulnerability in Fortra’s GoAnywhere MFT-managed file transfer software (CVE-2023-0669) was abused by threat actors with potential links to the Clop ransomware operation.
CISA also added two flaws impacting Mitel MiVoice Connect (CVE-2022-41223 and CVE-2022-40765) that could permit an authenticated attacker with internal network access to execute arbitrary code.
Exact specifics surrounding the nature of the attacks are unclear, but another flaw in MiVoice Connect was exploited last year to deploy ransomware. The vulnerabilities were patched by Mitel in October 2022.
In light of in-the-wild exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates by March 14, 2023, to secure networks against potential threats.
CISA, in a related development, also released an Industrial Control Systems (ICS) advisory that touches upon critical flaws (CVE-2022-26377 and CVE-2022-31813) in Mitsubishi Electric’s MELSOFT iQ AppPortal.
“Successful exploitation of these vulnerabilities could allow a malicious attacker to make unidentified impacts such as authentication bypass, information disclosure, denial-of-service, or bypass IP address authentication,” the agency said.