The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1.
Details of the issue first came to light in April 2023, with Horizon3.ai's Naveen Sunkavally describing it as a "dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data."
It's currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws -
- CVE-2023-38203 (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
- CVE-2023-29300 (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
- CVE-2023-41990 (CVSS score: 7.8) - Apple Multiple Products Code Execution Vulnerability
- CVE-2016-20017 (CVSS score: 9.8) - D-Link DSL-2750B Devices Command Injection Vulnerability
- CVE-2023-23752 (CVSS score: 5.3) - Joomla! Improper Access Control Vulnerability
It's worth noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was used by unknown actors as part of Operation Triangulation spyware attacks to achieve remote code execution when processing a specially crafted iMessage PDF attachment.
Federal Civilian Executive Branch (FCEB) agencies have been recommended to apply fixes for the aforementioned bugs by January 29, 2024, to secure their networks against active threats.
Update
Fortinet FortiGuard Labs, in an updated advisory on January 16, said it "observed critical level of continued attacks on Adobe Coldfusion with IPS detections reaching up to 50,000+ unique detections."