The US CyberSecurity and Infrastructure Security Agency (CISA) has been close ly following threat actors, new variants, and the vulnerabilities that are being exploited in the wild. Based on these, CISA added 18 vulnerabilities in the first two months of 2023. In this blog, we will take a look at the vulnerabilities that CISA requires the federal agencies to patch by February 28, 2023. From our analysis, we have found:
Why are these CVEs important?
-
All 7 vulnerabilities are weaponized and have been exploited in the wild.
-
CVE-2023-21674 and CVE-2022-41080 are Microsoft privilege escalation vulnerabilities. CVE-2022-41080 chained with the ProxyNotShell vulnerability CVE-2022-41082 is exploited by attackers to achieve privilege escalation through Outlook Web Access (OWA).
-
CVE-2022-21587 is a vulnerability in Oracle Business Suite that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.
-
CVE-2022-47966 affects multiple Zoho ManageEngine products. It is an unauthenticated remote code execution vulnerability caused by the usage of an outdated third-party dependency, Apache Santuario.
-
CVE-2017-11357 is a vulnerability in RadAsyncUpload, Telerik that can result in file uploads in a limited location and/or remote code execution if exploited.
-
Multiple SugarCRM products contain a remote code execution vulnerability, CVE-2023-22952 in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates.
-
CVE-2022-44877 is a CWP Control Web Panel (formerly CentOS Web Panel) OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.
How Far Back Do They Go?
Only the Telerik vulnerability dates back to 2017. Rest of the vulnerabilities were discovered in 2022 and 2023. The Telerik vulnerability was trending recently which prompted CISA to add it to the KEV catalog.
Which Vendors Are Affected?
Multiple vendors including CWP and Oracle are affected. CVE-2023-22952 is a SugarCRM vulnerability that is actively exploited with crypto mining malware.
Severity Scores
Most vulnerabilities are ranked critical on the CVSS scale. CVE-2022-47966 has a CVSS score of 9.8. It is trending currently as attackers are exploiting this vulnerability to deploy a new ransomware strain, Buhti. It is also used in targeted cyber espionage attacks.
Software Weaknesses
Each vulnerability is caused due to a flaw in the software design or implementation. The Telerik vulnerability (CVE-2017-11357) which was discovered in 2017 is due to insecure direct object reference.
CVE-2022-41080, CVE-2022-21587, and CVE-2023-21674 do not have any CWEs associated with them.
Table: DHS CISA KEVs
We urge organizations to implement patches for these CVEs at the earliest. With Securin’s threat-based approach and vulnerability intelligence, security teams can prioritize the threats, including all KEVs, and minimize their attack surface.
For the latest news regarding vulnerabilities that are exploited and critical threats, read our blog on Weekly Threat Intelligence.