The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This includes a high-severity security vulnerability, CVE-2023-27524 (CVSS score: 8.9), affecting Apache Superset, an open-source data visualization software, allowing remote code execution. The details of this issue first surfaced in April 2023, described by Naveen Sunkavally from Horizon3.ai as “a dangerous default configuration in Apache Superset that allows an unauthenticated attacker to execute remote code, gather credentials, and jeopardize data.”
Currently, it is unknown how this security vulnerability is being exploited. Additionally, CISA has added five more flaws:
• CVE-2023-38203 (CVSS score: 9.8) – Insecure Deserialization Vulnerability in Adobe ColdFusion
• CVE-2023-29300 (CVSS score: 9.8) – Insecure Deserialization Vulnerability in Adobe ColdFusion
• CVE-2023-41990 (CVSS score: 7.8) – Multiple Product Code Execution Vulnerability in Apple
• CVE-2016-20017 (CVSS score: 9.8) – Command Injection Vulnerability in D-Link DSL-2750B Devices
• CVE-2023-23752 (CVSS score: 5.3) – Inappropriate Access Control Vulnerability in Joomla!
CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, is being used by unknown actors as part of Triada Operation spyware attacks to enable remote code execution while processing a specially crafted iMessage PDF attachment.
The Federal Civilian Executive Branch (FCEB) agencies are advised to apply fixes for the above-mentioned vulnerabilities by January 29, 2024, to protect their networks against active threats.
