Citing evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
These include CVE-2023-27524 (CVSS score: 8.9), which is a high-severity vulnerability affecting the Apache Superset open source data visualization software, which can achieve remote code execution. Fixed in version 2.1.
Details of the issue first came to light in April 2023, with Horizon3.ai’s Naveen Sunkavally describing it as “a dangerous default configuration in Apache Superset that allows unauthenticated attackers to obtain remote programs.” code execution, obtaining credentials and exfiltrating data.”
It’s unclear how the vulnerability was exploited in the wild. CISA also added five other flaws –
- CVE-2023-38203 (CVSS Rating: 9.8) – Adobe ColdFusion Deserialization Untrusted Data Vulnerability
- CVE-2023-29300 (CVSS Rating: 9.8) – Adobe ColdFusion Deserialization Untrusted Data Vulnerability
- CVE-2023-41990 (CVSS Rating: 7.8) – Apple Multi-Product Code Execution Vulnerability
- CVE-2016-20017 (CVSS Rating: 9.8) – D-Link DSL-2750B Device Command Injection Vulnerability
- CVE-2023-23752 (CVSS Rating: 5.3) – Joomla!Improper Access Control Vulnerability
Notably, CVE-2023-41990, which Apple patched in iOS 15.7.8 and iOS 16.3, was used by unknown attackers as part of a triangulation spyware attack to enable remote code when processing specially crafted iMessage PDF attachments. implement.
Federal Civilian Executive Branch (FCEB) agencies are recommended to fix the above errors before January 29, 2024, to protect their networks from active threats.
