CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, alerting security practitioners nationwide.

VMware Aria Operations: The Risk of Remote Command Execution

First on the list is the critical vulnerability CVE-2023-20887. This flaw resides within the VMware Aria Operations for Networks, with a menacing CVSS score of 9.8. The security flaw enables remote attackers to execute arbitrary commands on a system, owing to a command injection vulnerability. Through a specially crafted request, an attacker can seize control and conduct damaging activities.

Triple Threats: Roundcube Webmail Vulnerabilities

The popular webmail software, Roundcube, has landed on CISA’s radar thrice, underscoring the severity of security risks surrounding this tool.

The first vulnerability, CVE-2020-35730, involves cross-site scripting (XSS) in Roundcube Webmail. With a CVSS score of 6.1, this flaw originates from inadequate validation of user-supplied input by the rcube_string_replacer.php script. Remote attackers could exploit this vulnerability to execute a script in a victim’s web browser within the security context of the hosting website, potentially stealing cookie-based authentication credentials.

Next, the CVE-2020-12641 vulnerability allows remote attackers to execute arbitrary code on the system. The flaw lies within the rcube_image.php script, allowing attackers to leverage shell metacharacters through the m_convert_path or im_identify_path parameter, enabling code execution.

Rounding off the Roundcube vulnerabilities is CVE-2021-44026. This SQL injection vulnerability allows attackers to send maliciously crafted SQL statements to the search or search_params session item. This flaw can enable attackers to view, modify, or delete information in the back-end database.

Browser and Email Client Vulnerability: Mozilla Firefox and Thunderbird

CVE-2016-9079 hones in on Mozilla’s Firefox browser and Thunderbird email client. With a CVSS score of 8.8, this flaw allows remote attackers to execute arbitrary code, stemming from a use-after-free vulnerability in SVG Animation. Attackers can manipulate victims into visiting a specially crafted website to exploit the vulnerability, resulting in arbitrary code execution or even a denial of service.

The Privilege Escalation Threat: Microsoft Windows

Lastly, CVE-2016-0165 targets the heart of many organizations: Microsoft Windows. This vulnerability allows a local authenticated attacker to gain elevated privileges due to improper handling of objects in memory by the kernel-mode driver. By running a specially crafted program, an attacker could exploit this flaw to execute arbitrary code in kernel mode.

In the face of these stormy threats, the Federal Civilian Executive Branch (FCEB) agencies are racing against time to patch their networks before the July 13, 2023, deadline.

CISA’s latest additions to the KEV catalog underscore the critical need for timely patch management and robust cybersecurity policies.