Cybersecurity Alert for Federal Agencies
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory urging U.S. federal agencies to bolster their defenses against potential cyberattacks targeting vulnerabilities in Cisco and Windows systems. While the agency has confirmed that these flaws are currently being exploited, it has refrained from disclosing specific details about the nature of these malicious activities or the actors behind them.
The first vulnerability, identified as CVE-2023-20118, allows attackers to execute arbitrary commands on various models of VPN routers, including the RV016, RV042, RV042G, RV082, RV320, and RV325. Although this flaw necessitates valid administrative credentials for exploitation, it can be leveraged in conjunction with the CVE-2023-20025 authentication bypass, which grants root privileges to attackers.
Cisco acknowledged this issue in an advisory released in January 2023, which was later updated in January 2024. The company’s Product Security Incident Response Team (PSIRT) has noted the existence of publicly available proof-of-concept exploit code for CVE-2023-20025.
The second vulnerability, CVE-2018-8639, pertains to a Win32k elevation of privilege flaw. Local attackers who gain access to the target system can exploit this vulnerability to execute arbitrary code in kernel mode. Successful exploitation not only allows for data manipulation but also enables the creation of unauthorized accounts with full user rights, effectively compromising vulnerable Windows devices.
Microsoft had previously issued a security advisory regarding this vulnerability in December 2018, indicating its impact on both client (Windows 7 and later) and server (Windows Server 2008 and up) platforms.
In light of these developments, CISA has added both vulnerabilities to its Known Exploited Vulnerabilities catalog, which highlights security flaws that are actively being exploited in attacks. As stipulated by the Binding Operational Directive (BOD) 22-01, issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies are required to secure their networks against these vulnerabilities within a three-week timeframe, with a deadline set for March 23.
CISA emphasized the significance of addressing such vulnerabilities, stating, “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
As of now, both Microsoft and Cisco have yet to revise their security advisories following CISA’s classification of these vulnerabilities as actively exploited. Additionally, in early February, CISA alerted federal agencies to a critical Microsoft Outlook remote code execution vulnerability, CVE-2024-21413, which is also under active exploitation, mandating patches to be applied by February 27.
