Vulnerability Management, Managed Security Services, MSSP

CISA Urges Action on 3 New Vulnerabilities

Credit: Adobe Stock Images

The Cybersecurity & Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog and urges appropriate remediation.

CISA said it has seen evidence of active exploitation involving:

  • CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability
  • CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
  • CVE-2019-7256 Nice Linear eMerge E3-Series OS Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise, CISA said. 

More Details on Three New Vulnerabilities

Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available, according to The Hacker News.

Meanwhile CVE-2021-44529 involves a code injection vulnerability in Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA). The vulnerability allows an unauthenticated user to execute malicious code with limited permissions. Security researcher Ron Bowes reported that the flaw may have been introduced as an intentional backdoor through “csrf-magic,” a now-discontinued open-source project that existed likely since 2014.

CVE-2019-7256 permits an attacker to conduct remote code execution on Nice Linear eMerge E3-Series access controllers, according to a SonicWall blog. SonicWall said threat actors have exploited the vulnerability as early as February 2020.

CISA’s bulletin references Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, which established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs). CVEs carry significant risk to the federal enterprise, CISA said.

BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate the identified vulnerabilities by April 15, 2024 to protect FCEB networks against active threats.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.