CISA’s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems
Discription

[![IT Management Systems](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)]()

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has [added]() three security flaws to its Known Exploited Vulnerabilities ([KEV]()) catalog, citing evidence of active exploitation.

The list of vulnerabilities is below –

* [CVE-2022-35914]() (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability
* [CVE-2022-33891]() (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability
* [CVE-2022-28810]() (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

The most critical of the three is [CVE-2022-35914](), which concerns a remote code execution vulnerability in the third-party library htmlawed present in [Teclib GLPI](), an open source asset and IT management software package.

The exact specifics surrounding the nature of attacks are unknown, but the Shadowserver Foundation in October 2022 [noted]() that it has seen exploitation attempts against its honeypots.

Since then, a cURL-based one-line proof of concept (PoC) has been made available on GitHub and a “mass” scanner has been advertised for sale, VulnCheck security researcher Jacob Baines [said]() in December 2022.

Furthermore, data gathered by GreyNoise has [revealed]() 40 malicious IP addresses from the U.S., the Netherlands, Hong Kong, Australia, and Bulgaria, attempting to abuse the shortcoming.

The second flaw is an unauthenticated command injection vulnerability in Apache Spark that has been exploited by the [Zerobot botnet]() to co-opt susceptible devices with the goal of carrying out distributed denial-of-service (DDoS) attacks.

Lastly, also added to the KEV catalog is a [remote code execution flaw]() in Zoho ManageEngine ADSelfService Plus that was patched in April 2022.

“Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset,” CISA said.

Cybersecurity company Rapid7, which [discovered]() the bug, said it detected active exploitation attempts by threat actors to “execute arbitrary OS commands in order to gain persistence on the underlying system and attempt to pivot further into the environment.”

The development comes as API security firm Wallarm [said]() it has found ongoing exploit attempts of two VMware NSX Manager flaws ([CVE-2021-39144]() and [CVE-2022-31678]()) since December 2022 that could be leveraged to execute malicious code and siphon sensitive data.

Found this article interesting? Follow us on [Twitter __]() and [LinkedIn]() to read more exclusive content we post.Read More

Back to Main

Subscribe for the latest news: