The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild. Two of them impact Microsoft products (CVE-2023-21823 and CVE-2023-23376) and allow attackers to gain remote execution and escalate privileges on unpatched Windows systems. A third one (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies to deliver malicious payloads via untrusted files. The fourth, a WebKit type confusion issue (CVE-2023-23529) that could lead to arbitrary code execution, was addressed by Apple on Monday and was tagged as actively exploited in the wild.
CISA has issued a binding operational directive (BOD 22-01) requiring all Federal Civilian Executive Branch Agencies (FCEB) to secure their systems against security bugs added to CISA's catalog of Known Exploited Vulnerabilities. CISA has given U.S. federal agencies three weeks, until March 7th, to patch the four Apple and Microsoft security vulnerabilities and thwart attacks that could target their networks. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.
Today, CISA added another flaw, a critical pre-auth command injection bug (CVE-2022-46169) in the Cacti network operations framework that threat actors abused to deliver malware. CISA urges all organizations to fix the security bugs to block any attack attempts to compromise their Windows or iOS devices.