U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog

February 22, 2023Rabbi LakshmananCyber ​​risk / patch management

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.

Here is the list of drawbacks −

• CVE-2022-47986 (CVSS Score: 9.8) – IBM Aspera Faspex Code Execution Vulnerability
• CVE-2022-41223 (CVSS Score: 6.8) – Mitel MiVoice Connect Code Injection Vulnerability
• CVE-2022-40765 (CVSS Score: 6.8) – Mitel MiVoice Connect Command Injection Vulnerability

CVE-2022-47986 is described as a YAML deserialization flaw in file transfer solutions that may allow a remote attacker to execute code on the system.

Details of the flaw and a proof of concept (PoC) were shared by Assetnote on February 2nd. Said It actually “detected an exploit attempt”.

Shortly after the vulnerability in Fortra’s GoAnywhere MFT managed file transfer software (CVE-2023-0669) was exploited by threat actors with potential links to the Clop ransomware operation, the Aspera Faspex vulnerability actively exploitation has taken place.

CISA also added two flaws (CVE-2022-41223 and CVE-2022-40765) affecting Mitel MiVoice Connect, allowing an authenticated attacker with internal network access to execute arbitrary code. bottom.

Exact details about the nature of the attack are unknown, but another vulnerability in MiVoice Connect was exploited last year to deploy ransomware. This vulnerability was patched by Mitel in October 2022.

Given real world exploits, Federal Civil Administration (FCEB) agencies have until March 14, 2023 to apply the required updates to protect their networks from potential threats.

In a related development, CISA has also released an Industrial Control Systems (ICS) Advisory referring to critical flaws (CVE-2022-26377 and CVE-2022-31813) in Mitsubishi Electric’s MELSOFT iQ AppPortal.

“Successfully exploiting these vulnerabilities could allow malicious attackers to have unconfirmed effects such as authentication bypass, information disclosure, denial of service, or IP address authentication bypass.” agency said.