The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.
The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.
"Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator," CISA said.
The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022. Not much is known about the nature of the attacks exploiting the vulnerability, but the development follows the publication of a proof-of-concept (PoC) by cybersecurity firm Viettel on January 16, 2023.
The second security flaw to be added to the KEV catalog is CVE-2023-22952 (CVSS score: 8.8), which relates to a case of missing input validation in SugarCRM that could result in the injection of arbitrary PHP code. The bug has been fixed in SugarCRM versions 11.0.5 and 12.0.2.
The development comes a week after CISA also added CVE-2017-11357 (CVSS score: 9.8), a severe security vulnerability impacting Telerik UI that could facilitate arbitrary file uploads or remote code execution.
In light of active exploitation attempts, Federal Civilian Executive Branch (FCEB) agencies in the U.S. are required to apply the patches by February 23, 2023.