CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching

by do son · October 9, 2024

Exploited Windows Security Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its Known Exploited Vulnerabilities (KEV) catalog, following confirmed reports of active exploitation in the wild. The addition of these vulnerabilities signals the urgent need for organizations to implement patches and safeguard their systems. Among the affected platforms are Fortinet and Ivanti products, both widely used in enterprise environments.

The following vulnerabilities have been added to the KEV catalog based on evidence of active exploitation:

CVE-2024-23113 (CVSS 9.8): Fortinet Multiple Products Format String Vulnerability
This critical vulnerability affects multiple Fortinet products and stems from a format string flaw within the FortiOS fgfmd daemon. Attackers can craft malicious requests that exploit this flaw, resulting in remote code execution (RCE). Once exploited, attackers can infiltrate networks, access sensitive data, or establish a foothold for lateral movement within the environment. This vulnerability is particularly alarming because of the potential for widespread exploitation in environments using Fortinet security products. FortiOS is a staple in enterprise and government networks, meaning the threat to critical infrastructure is significant.
CVE-2024-9379 (CVSS 6.5): Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
A SQL injection vulnerability in the Ivanti Cloud Secure Appliance (CSA) admin web console (before version 5.0.2) allows remote authenticated attackers with administrative privileges to run arbitrary SQL statements. Although requiring admin access, attackers could exploit this vulnerability to manipulate databases, potentially extracting sensitive information or altering the system’s integrity.
CVE-2024-9380 (CVSS 7.2): Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
This vulnerability is an operating system (OS) command injection flaw, also in the Ivanti CSA admin web console (before version 5.0.2), which allows attackers with administrative privileges to achieve RCE. Successful exploitation could lead to the compromise of the entire system, allowing attackers to run arbitrary OS commands, potentially installing malicious software, or disabling critical services.

Ivanti has warned of an alarming chaining attack combining CVE-2024-9379, CVE-2024-9380, and another vulnerability, CVE-2024-8963, which has led to exploitation in some environments running CSA 4.6 patch 518 or prior. This chaining allows attackers to escalate the damage from running arbitrary SQL commands to executing full-fledged system compromises.
Ivanti advises all users to upgrade to version 5.0.2 immediately to mitigate these vulnerabilities and to review system logs for unusual or unauthorized administrative accounts that may signal compromise.

In response to the rising threat, the Federal Civilian Executive Branch (FCEB) agencies have been mandated by CISA to remediate these vulnerabilities no later than October 30, 2024. Failure to do so leaves their networks vulnerable to exploitation by cybercriminals, which could lead to severe breaches and disruption of critical government services.