The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday listed three security vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The new vulnerabilities are as follows:
- CVE-2023-48788 (CVSS Rating: 9.3) – Fortinet FortiClient EMS SQL Injection Vulnerability
- CVE-2021-44529 (CVSS score: 9.8) – Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) code injection vulnerability
- CVE-2019-7256 (CVSS score: 10.0) – Nice Linear eMerge E3 series operating system command injection vulnerability
The flaw affecting Fortinet FortiClient EMS came to light earlier this month, and the company described it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via a specially crafted request.
Fortinet has since revised its advisory to confirm that it has been exploited in the wild, but no other details about the nature of the attack are currently available.
On the other hand, CVE-2021-44529 involves a code injection vulnerability in the Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA), which allows unauthenticated users to execute malicious code with limited permissions.
Recently published research by security researcher Ron Bowes suggests that the flaw may be a deliberately introduced backdoor in an open source project called csrf-magic, which has existed since at least 2014 and has now been discontinued.
CVE-2019-7256 allows attackers to execute remote code on Nice Linear eMerge E3 series access controllers and was exploited by threat actors as early as February 2020.
Nice (formerly Nortek) fixed that flaw and 11 other bugs earlier this month. That said, these vulnerabilities were originally disclosed by security researcher Gjoko Krstic in May 2019.
Given that these three vulnerabilities are actively exploited, federal agencies have until April 15, 2024 to apply vendor-provided mitigations.
The development comes as CISA and the FBI issued a joint alert urging software manufacturers to take steps to mitigate SQL injection flaws.
The advisory specifically highlights how the Cl0p ransomware gang, also known as Lace Tempest, exploited a critical SQL injection vulnerability, CVE-2023-34362, in Progress Software’s MOVEit Transfer to compromise thousands of organizations.
“Despite the fact that SQLi vulnerabilities have been widely known and documented over the past two decades and effective mitigations have been implemented, software manufacturers continue to develop products with this flaw, leaving many customers exposed,” the agencies said. risk.”
