CISA Updates Known Exploited Vulnerabilities Catalog with Adobe, SolarWinds, and VMware Bugs

July 21, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These include CVE-2024-34102, which affects Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. This flaw is an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. Adobe has acknowledged that this vulnerability is being exploited in targeted attacks against Adobe Commerce merchants.

Another vulnerability added to the KEV catalog is CVE-2024-28995, a high-severity directory transversal issue in SolarWinds Serv-U Path. This vulnerability allows attackers to read sensitive files on the host machine. GreyNoise reported that threat actors are actively exploiting a publicly available proof-of-concept (PoC) exploit code. The flaw was disclosed on June 6 and impacts Serv-U 15.4.2 HF 1 and previous versions. GreyNoise began investigating the issue after Rapid7 published technical details about the flaw and PoC exploit code. A GitHub user named bigb0x also shared a proof-of-concept (PoC) and a bulk scanner for the SolarWinds Serv-U CVE-2024-28995 directory traversal vulnerability.

The third vulnerability added to the catalog is CVE-2022-22948, an information disclosure vulnerability in vCenter Server. This vulnerability is due to improper permission of files, and a malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.

According to the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies are required to address the identified vulnerabilities by a specified due date to protect their networks from attacks exploiting the flaws in the catalog. Private organizations are also advised to review the Catalog and address the vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix these vulnerabilities by August 7, 2024.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.