The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog, highlighting several significant security flaws that could pose risks to various systems. Among the newly added vulnerabilities are issues affecting Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold.
Details of the Vulnerabilities
The vulnerabilities included in the catalog are as follows:
- CVE-2023-20118: This command injection vulnerability in Cisco Small Business RV Series Routers has a CVSS score of 6.5. It exists within the web interface, allowing authenticated remote attackers to execute arbitrary commands due to improper input validation. Admin credentials are required for exploitation, which grants root access. Notably, Cisco has indicated that it will not provide a fix for this issue.
- CVE-2022-43939: An authorization bypass vulnerability affecting the Hitachi Vantara Pentaho BA Server.
- CVE-2022-43769: This special element injection vulnerability also pertains to the Hitachi Vantara Pentaho BA Server.
- CVE-2018-8639: With a CVSS score of 7.8, this elevation of privilege vulnerability affects Microsoft Windows. It arises when the Win32k component fails to manage objects in memory properly, allowing an attacker to run arbitrary code in kernel mode. This could enable the installation of programs, modification or deletion of data, and the creation of new accounts with full user rights.
- CVE-2024-4885: This unauthenticated remote code execution vulnerability in Progress WhatsUp Gold has a staggering CVSS score of 9.8. It allows for command execution with iisapppoolnmconsole privileges, posing a significant risk to affected systems.
According to the advisory, “Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device.”
In light of these vulnerabilities, CISA has mandated that federal agencies address these issues by March 24, 2025, in accordance with Binding Operational Directive (BOD) 22-01, which aims to reduce the significant risk posed by known exploited vulnerabilities. Furthermore, experts advise private organizations to review the KEV catalog and take necessary actions to safeguard their infrastructures against these identified threats.
