The cybersecurity agency CISA on Monday added five security holes to its Known Exploited Vulnerabilities (KEV) catalog, but for most of them in-the-wild exploitation has been known for months or years.
One of the vulnerabilities added to the CISA KEV list is CVE-2018-8639, a Windows privilege escalation vulnerability that Microsoft patched back in 2018.
South Korean cybersecurity firm AhnLab flagged exploitation of CVE-2018-8639 in February 2023, in a report describing the attacks of a China-linked APT named Dalbit (m00nlight). According to the company, the hackers exploited CVE-2018-8639 for privilege escalation on compromised systems.
Microsoft has yet to update its advisory for CVE-2018-8639 to warn customers about malicious exploitation.
Another vulnerability added to the CISA KEV list on Monday is CVE-2023-20118, a vulnerability affecting Cisco routers.
Exploitation of CVE-2023-20118 was recently mentioned by Sekoia in a blog post describing a backdoor and botnet named PolarEdge, which has ensnared more than 2,000 devices worldwide. The botnet has been active since at least late 2023 and it was recently seen exploiting this Cisco vulnerability to deploy a webshell on targeted routers.
Cisco describes CVE-2023-20118 as a remote command execution issue that can be exploited by an authenticated attacker against small business RV016, RV042, RV042G, RV082, RV320 and RV325 routers. However, Sekoia says the vulnerability, for which a PoC exploit is available, can be exploited without authentication.
The impacted devices have reached end of life and Cisco is not releasing patches. At the time of writing, the networking giant’s advisory does not mention in-the-wild exploitation.
CISA also warned organizations about CVE-2022-43939 and CVE-2022-43769, two Hitachi Vantara Pentaho BA Server vulnerabilities that allow an attacker to bypass authentication and take full control of the host.
Details of the flaws were disclosed in April 2023 and the Shadowserver Foundation reported seeing exploitation attempts shortly after. Even today hundreds of Pentaho systems are directly exposed to the internet.
CISA’s KEV catalog now also includes CVE-2024-4885, a WhatsUp Gold vulnerability whose exploitation in ransomware attacks has been known since September 2024.
CVE-2023-20118 is the only vulnerability whose exploitation appears to have come to light in recent days.
This shows that while CISA is in some cases the first to issue a warning over the exploitation of a vulnerability, the agency is slow to add many security holes to its KEV catalog, as highlighted on several occasions by private cybersecurity companies.
Related: CISA: No Change on Defending Against Russian Cyber Threats
Related: CISA Warns of Attacks Exploiting Oracle Agile PLM Vulnerability
Related: CISA Warns of Attacks Exploiting Craft CMS Vulnerability