CISA Identifies Five Newly Exploited Vulnerabilities in Popular Software

October 11, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include five additional security flaws. These flaws have been found in a range of widely used software applications and there is evidence to suggest that they are being actively exploited. The affected software includes Adobe Acrobat and Reader, Cisco IOS and IOS XE, Microsoft Skype for Business, Microsoft WordPad, and HTTP/2.

The vulnerability identified as CVE-2023-21608 is a Use-After-Free vulnerability in Adobe Acrobat and Reader. This flaw could potentially enable a remote attacker to execute arbitrary code on the affected system. The exploitation of this vulnerability would involve an attacker persuading a victim to open a specially crafted document.

The flaw identified as CVE-2023-20109 affects the Group Encrypted Transport VPN in Cisco IOS and IOS XE. This vulnerability could potentially allow a remote authenticated attacker to execute arbitrary code on the affected system. The exploitation of this vulnerability would involve an attacker sending a specially crafted request.

The vulnerability identified as CVE-2023-41763 is a Privilege Escalation vulnerability in Microsoft Skype for Business. This flaw could potentially allow a remote attacker to gain elevated privileges on the affected system. The exploitation of this vulnerability would involve an attacker sending a specially crafted request.

The flaw identified as CVE-2023-36563 is an Information Disclosure vulnerability in Microsoft WordPad. This vulnerability could potentially allow a remote attacker to obtain sensitive information from the affected system. The exploitation of this vulnerability would involve an attacker executing a specially crafted program.

The vulnerability identified as CVE-2023-44487 is a Rapid Reset Attack vulnerability in HTTP/2. This flaw could potentially allow a remote attacker to cause a denial-of-service condition on the affected system. The exploitation of this vulnerability would involve an attacker sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams.

Organizations are strongly advised to prioritize patching these vulnerabilities as soon as possible. CISA has given Federal Civilian Executive Branch (FCEB) agencies until October 31, 2023, to apply these patches and secure their networks against potential threats.

Related News

• Microsoft Rolls Out Enhanced Patch for Critical Exchange Server Vulnerability
• Microsoft Patches Over 100 Vulnerabilities Including Exploited Zero-Days in WordPad, Skype for Business
• Record-Breaking DDoS Attacks Exploit New 'HTTP/2 Rapid Reset' Zero-Day Vulnerability
• Cisco Addresses Critical Security Flaw in Emergency Responder
• New Zero-Day Vulnerability in Cisco IOS Poses Double Threat

Latest News

• Critical cURL Flaw Exposes Enterprise Systems to Potential Attacks
• Apple Rolls Out iOS/iPadOS 16.7.1 to Address Zero-Day Vulnerability
• Fortinet Addresses Two Critical Vulnerabilities in FortiSIEM and FortiWLM
• Microsoft Identifies Nation-State Threat Actor Behind Confluence Zero-Day Attacks
• Microsoft Rolls Out Enhanced Patch for Critical Exchange Server Vulnerability