CISA Adds Two More Vulnerabilities to its Exploited Flaws Catalog

July 24, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) list with the addition of two more security flaws that have evidence of active exploitation.

The first vulnerability, CVE-2012-4792, is a use-after-free flaw in Internet Explorer that has been around for a decade. This vulnerability could enable a remote attacker to execute arbitrary code through a specially designed website. It is unclear whether this vulnerability is currently being exploited anew, although it was previously used in watering hole attacks targeting the Council on Foreign Relations (CFR) and Capstone Turbine Corporation websites in December 2012.

The second vulnerability, CVE-2024-39891, is an information disclosure bug in an unauthenticated endpoint that could be leveraged to 'accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.' Earlier this month, Twilio announced that it had addressed the issue in versions 25.1.0 (Android) and 26.1.0 (iOS) after unidentified threat actors exploited the vulnerability to identify information linked to Authy accounts.

CISA has issued an advisory stating that these types of vulnerabilities are often used as attack vectors by malicious cyber actors and present significant risks to the federal enterprise. Federal Civilian Executive Branch (FCEB) agencies are mandated to fix the identified vulnerabilities by August 13, 2024, to safeguard their networks against active threats.

Latest News

• Ukrainian Research Institution Targeted by HATVIBE and CHERRYSPY Malware
• CISA Updates Known Exploited Vulnerabilities Catalog with Adobe, SolarWinds, and VMware Bugs
• Critical Vulnerability in Cisco's Security Email Gateway Patched
• Critical Cisco Vulnerability Allows Password Alterations
• SolarWinds Patches Eight Critical Vulnerabilities in Access Rights Manager Software