CISA added CVE-2019-8526 & CVE-2023-2033 to its known exploited vulnerabilities catalog

The two flaws in question, CVE-2019-8526, and CVE-2023-2033, have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This indicates that active exploitation of these vulnerabilities has been detected, and federal agencies must act swiftly to secure their systems.

1. CVE-2019-8526 (CVSS score of 7.8): Apple macOS Privilege Escalation

The first vulnerability pertains to Apple’s macOS operating system. This flaw allows a local attacker to obtain elevated privileges by exploiting a use-after-free issue in the Security component. A malicious actor could use a specially-crafted application to exploit this vulnerability and gain unauthorized access to sensitive information or tamper with system settings. Apple has addressed this issue with improved memory management, but federal agencies need to ensure they apply the necessary patch to prevent potential exploitation.

2. CVE-2023-2033: Google Chrome V8 Code Execution

The second vulnerability affects Google Chrome, one of the most widely used web browsers worldwide. This flaw lies in the V8 JavaScript engine, which is responsible for executing JavaScript code in the browser. A type confusion issue within V8 could be exploited by a remote attacker who tricks a victim into visiting a malicious website. The attacker could then execute arbitrary code or cause a denial of service on the victim’s system.

In response to these threats, FCEB agencies must adhere to the binding operational directive (BOD 22-01) issued in November 2022, mandating the patching of all security bugs listed in CISA’s KEV catalog. With the deadline set for May 8, 2023, federal agencies are in a race against time to secure their systems and protect their digital assets.