The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday positioned three safety flaws to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerabilities added are as follows –
- CVE-2023-48788 (CVSS rating: 9.3) – Fortinet FortiClient EMS SQL Injection Vulnerability
- CVE-2021-44529 (CVSS rating: 9.8) – Ivanti Endpoint Supervisor Cloud Service Equipment (EPM CSA) Code Injection Vulnerability
- CVE-2019-7256 (CVSS rating: 10.0) – Good Linear eMerge E3-Sequence OS Command Injection Vulnerability
The shortcoming impacting Fortinet FortiClient EMS got here to gentle earlier this month, with the corporate describing it as a flaw that would enable an unauthenticated attacker to execute unauthorized code or instructions through particularly crafted requests.
Fortinet has since revised its advisory to verify that it has been exploited within the wild, though no different particulars relating to the character of the assaults are presently accessible.
CVE-2021-44529, alternatively, considerations a code injection vulnerability in Ivanti Endpoint Supervisor Cloud Service Equipment (EPM CSA) that enables an unauthenticated consumer to execute malicious code with restricted permissions.
Current analysis revealed by safety researcher Ron Bowes signifies that the flaw could have been launched as an intentional backdoor in a now-discontinued open-source challenge known as csrf-magic that existed no less than since 2014.
CVE-2019-7256, which allows an attacker to conduct distant code execution on Good Linear eMerge E3-Sequence entry controllers, has been exploited by menace actors as early as February 2020.
The flaw, alongside 11 different bugs, have been addressed by Good (previously Nortek) earlier this month. That mentioned, these vulnerabilities have been initially disclosed by safety researcher Gjoko Krstic in Might 2019.
In gentle of the lively exploitation of the three flaws, federal companies are required to use the vendor-provided mitigations by April 15, 2024.
The event comes as CISA and the Federal Bureau of Investigation (FBI) launched a joint alert, urging software program producers to take steps to mitigate SQL injection flaws.
The advisory particularly highlighted the exploitation of CVE-2023-34362, a crucial SQL injection vulnerability in Progress Software program’s MOVEit Switch, by the Cl0p ransomware gang (aka Lace Tempest) to breach 1000’s of organizations.
“Regardless of widespread information and documentation of SQLi vulnerabilities over the previous 20 years, together with the provision of efficient mitigations, software program producers proceed to develop merchandise with this defect, which places many purchasers in danger,” the companies mentioned.
