CISA Highlights Exploited Flaws in Microsoft .NET and Apache OFBiz

February 5, 2025

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has identified four new vulnerabilities that have been exploited in recent attacks. These include flaws in Microsoft .NET Framework and Apache OFBiz, both of which are widely utilized software applications. While CISA has confirmed these vulnerabilities are being actively exploited, it has not offered any specific details about the nature of these attacks, who is executing them, or who is being targeted.

The first identified vulnerability, CVE-2024-29059, is a high-risk information disclosure bug in the .NET Framework. This flaw was initially discovered by CODE WHITE and reported to Microsoft in November 2023. Microsoft initially closed the report in December 2023, stating, 'after careful investigation, we determined this case does not meet our bar for immediate servicing.' However, the company ultimately addressed the flaw in its January 2024 security updates, although it did not initially issue a CVE or credit the researchers. After CODE WHITE released technical details and a proof of concept exploit in February, Microsoft finally issued an advisory for the flaw under CVE-2024-29059 in March 2024 and acknowledged the researchers' contribution.

The second vulnerability, CVE-2024-45195, is a critical remote code execution flaw affecting Apache OFBiz versions prior to 18.12.16. This vulnerability was first discovered by Rapid7, who also provided a proof-of-concept exploit. The vendor addressed the flaw in September 2024. Users are advised to upgrade to Apache OFBiz version 18.12.16 or later to mitigate this risk. CISA is urging affected agencies and organizations to apply the available patches and mitigations by February 25, 2025, or to discontinue using the products.

The other two vulnerabilities added to the catalog are CVE-2018-9276 and CVE-2018-19410, both affecting the Paessler PRTG network monitoring software. These flaws were addressed in version 18.2.41.1652, released in June 2018. The first of these is an operating system command injection issue, while the second is a local file inclusion vulnerability. The deadline for patching these flaws is also set for February 25, 2025. Unfortunately, no specific information has been provided about how these vulnerabilities are being exploited.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.