CISA’s KEV Catalog Up to date with 3 New Flaws Threatening IT Administration Methods

Mar 08, 2023Ravie LakshmananVulnerability / Cybersecurity

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added three safety flaws to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.

The record of vulnerabilities is beneath –

• CVE-2022-35914 (CVSS rating: 9.8) – Teclib GLPI Distant Code Execution Vulnerability
• CVE-2022-33891 (CVSS rating: 8.8) – Apache Spark Command Injection Vulnerability
• CVE-2022-28810 (CVSS rating: 6.8) – Zoho ManageEngine ADSelfService Plus Distant Code Execution Vulnerability

Essentially the most important of the three is CVE-2022-35914, which considerations a distant code execution vulnerability within the third-party library htmlawed current in Teclib GLPI, an open supply asset and IT administration software program package deal.

The precise specifics surrounding the character of assaults are unknown, however the Shadowserver Basis in October 2022 noted that it has seen exploitation makes an attempt towards its honeypots.

Since then, a cURL-based one-line proof of idea (PoC) has been made out there on GitHub and a “mass” scanner has been marketed on the market, VulnCheck safety researcher Jacob Baines said in December 2022.

Moreover, information gathered by GreyNoise has revealed 40 malicious IP addresses from the U.S., the Netherlands, Hong Kong, Australia, and Bulgaria, making an attempt to abuse the shortcoming.

The second flaw is an unauthenticated command injection vulnerability in Apache Spark that has been exploited by the Zerobot botnet to co-opt vulnerable gadgets with the purpose of finishing up distributed denial-of-service (DDoS) assaults.

Lastly, additionally added to the KEV catalog is a remote code execution flaw in Zoho ManageEngine ADSelfService Plus that was patched in April 2022.

“A number of Zoho ManageEngine ADSelfService Plus accommodates an unspecified vulnerability permitting for distant code execution when performing a password change or reset,” CISA mentioned.

Cybersecurity firm Rapid7, which discovered the bug, mentioned it detected lively exploitation makes an attempt by menace actors to “execute arbitrary OS instructions with a purpose to achieve persistence on the underlying system and try and pivot additional into the surroundings.”

The event comes as API safety agency Wallarm said it has discovered ongoing exploit makes an attempt of two VMware NSX Supervisor flaws (CVE-2021-39144 and CVE-2022-31678) since December 2022 that could possibly be leveraged to execute malicious code and siphon delicate information.