The US Cybersecurity and Infrastructure Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog by adding two significant flaws that warrant immediate attention from federal agencies. Among these, a critical vulnerability affecting the Windows kernel has been identified, alongside another concerning an Adobe product.
Details of the Vulnerabilities
The Windows flaw, classified as a Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability, carries a high severity score of 7.8 and is tracked under the identifier CVE-2024-35250. This vulnerability poses a serious risk, compelling agencies to either implement a patch or cease using the affected software altogether.
In addition, the Adobe ColdFusion vulnerability, tracked as CVE-2024-20767, has been described as an improper access control weakness. This flaw allows unauthenticated remote threat actors to read sensitive files, impacting ColdFusion versions 2023.6, 2021.12, and earlier, with a severity score of 7.4. Adobe has already addressed this issue with a patch released in March 2024.
- Windows Vulnerability: CVE-2024-35250 – High severity score of 7.8
- Adobe ColdFusion Vulnerability: CVE-2024-20767 – High severity score of 7.4
CISA has underscored the urgency of addressing these vulnerabilities, noting that they are common attack vectors for malicious cyber actors. The agency has set a deadline of January 6, 2025, for federal agencies to apply the necessary fixes, emphasizing the importance of proactive measures in safeguarding sensitive information.
As the landscape of cybersecurity continues to evolve, the need for vigilance and timely responses to emerging threats remains paramount for organizations tasked with protecting critical infrastructure.
