The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included security vulnerabilities in Sophos, Oracle, and Microsoft products in its Known Exploited Vulnerabilities (KEV) catalog. The addition, made on Thursday, includes the Sophos flaw, CVE-2023-1671, a critical vulnerability in the Sophos Web Appliance that can be exploited by an unauthenticated attacker to execute arbitrary code. Although there are no public reports describing attacks exploiting this vulnerability, and Sophos could not provide further details, CISA's inclusion indicates that the flaw has been exploited.
The KEV catalog also includes four other vulnerabilities in Sophos products discovered in 2020 and 2022. It's worth noting that Sophos vulnerabilities have been exploited by threat actors in the past, with some attacks linked to a Chinese Advanced Persistent Threat (APT) targeting government and other organizations in South Asia.
The second vulnerability added to the KEV catalog is CVE-2020-2551, a flaw in Oracle's WebLogic Server that allows unauthenticated attackers to take control of affected servers. This vulnerability was one of four targeted for initial compromise by a Chinese threat actor, as reported by threat intelligence company EclecticIQ in a blog post published in early June. The observed attacks targeted government and critical infrastructure organizations in Taiwan.
The third vulnerability added to the KEV catalog by CISA is CVE-2023-36584, a flaw that allows attackers to bypass Microsoft's Mark of the Web (MotW) security feature in Windows. This vulnerability was disclosed by Palo Alto Networks in November following their discovery during an analysis of attacks launched by a Russia-linked APT. The APT had exploited another MotW bypass flaw, CVE-2023-36884, which came to light in July. However, it's not clear whether CVE-2023-36584 has also been exploited. Microsoft's advisory from October 10 states that the vulnerability has not been exploited, raising questions about CISA's evidence for its inclusion in the KEV catalog.