Five Security Vulnerabilities Added to CISA’s KEV Catalog

CISA KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. These vulnerabilities affect a variety of popular software applications, including Adobe Acrobat and Reader, Cisco IOS and IOS XE, Microsoft Skype for Business, Microsoft WordPad, and HTTP/2.

CVE-2023-21608: Adobe Acrobat and Reader Use-After-Free Vulnerability

This vulnerability could allow a remote attacker to execute arbitrary code on the victim’s system. An attacker could exploit this vulnerability by persuading the victim to open a specially crafted document.

CVE-2023-20109: Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability

This vulnerability could allow a remote authenticated attacker to execute arbitrary code on the affected system. An attacker could exploit this vulnerability by sending a specially crafted request.

CVE-2023-41763: Microsoft Skype for Business Privilege Escalation Vulnerability

This vulnerability could allow a remote attacker to gain elevated privileges on the affected system. An attacker could exploit this vulnerability by sending a specially crafted request.

CVE-2023-36563: Microsoft WordPad Information Disclosure Vulnerability

This vulnerability could allow a remote attacker to obtain sensitive information from the affected system. An attacker could exploit this vulnerability by executing a specially crafted program.

CVE-2023-44487: HTTP/2 Rapid Reset Attack Vulnerability

This vulnerability could allow a remote attacker to cause a denial-of-service condition on the affected system. An attacker could exploit this vulnerability by sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams.

What should organizations do?

Organizations should prioritize patching these vulnerabilities as soon as possible. CISA has given Federal Civilian Executive Branch (FCEB) agencies time till October 31, 2023, to apply the patches to secure their networks against potential threats.