The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog by adding six new vulnerabilities. These additions serve as a warning to security professionals across the country.
The first vulnerability, CVE-2023-20887, is a critical flaw in VMware Aria Operations for Networks. This vulnerability has a high CVSS score of 9.8 and allows remote attackers to execute arbitrary commands on a system due to a command injection vulnerability. Attackers can gain control and perform harmful actions through a specially crafted request.
Roundcube Webmail, a widely-used webmail software, has three vulnerabilities listed by CISA, highlighting the serious security risks associated with this tool. CVE-2020-35730 involves cross-site scripting (XSS) in Roundcube Webmail and has a CVSS score of 6.1. The flaw results from insufficient validation of user-supplied input by the rcube_string_replacer.php script. Remote attackers can exploit this vulnerability to execute a script in a victim's web browser within the security context of the hosting website, potentially stealing cookie-based authentication credentials.
The second Roundcube vulnerability, CVE-2020-12641, allows remote attackers to execute arbitrary code on the system. This flaw is present in the rcube_image.php script and enables attackers to use shell metacharacters through the m_convert_path or im_identify_path parameter, leading to code execution. The third Roundcube vulnerability, CVE-2021-44026, is an SQL injection vulnerability that allows attackers to send malicious SQL statements to the search or search_params session item. This flaw can enable attackers to view, modify, or delete information in the back-end database.
CVE-2016-9079 focuses on Mozilla's Firefox browser and Thunderbird email client. This vulnerability has a CVSS score of 8.8 and allows remote attackers to execute arbitrary code due to a use-after-free vulnerability in SVG Animation. Attackers can trick victims into visiting a specially crafted website to exploit the vulnerability, resulting in arbitrary code execution or even a denial of service.
The last vulnerability, CVE-2016-0165, targets Microsoft Windows, which is at the core of many organizations. This flaw allows a local authenticated attacker to gain elevated privileges because of improper handling of objects in memory by the kernel-mode driver. By running a specially crafted program, an attacker could exploit this vulnerability to execute arbitrary code in kernel mode.
In light of these severe threats, Federal Civilian Executive Branch (FCEB) agencies are working to patch their networks before the July 13, 2023 deadline. The latest additions to CISA's KEV catalog emphasize the importance of timely patch management and strong cybersecurity policies.