The Known Exploited Vulnerabilities (KEV) catalog has recently been updated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include three new security flaws based on evidence of active exploitation.
What are they about?
- One of the newly added vulnerabilities (CVE-2023-1389) concerns a case of command injection that affects TP-Link Archer AX-21 routers and can be exploited to achieve remote code execution. Threat actors associated with the Mirai botnet have reportedly leveraged this flaw since April 11, 2023.
- The second flaw (CVE-2021-45046) is a remote code execution vulnerability affecting the Apache Log4j2 logging library disclosed in December 2021. While it’s currently unclear how this specific vulnerability is being exploited in the wild, data from GreyNoise shows evidence of exploitation attempts from as many as 74 unique IP addresses over the past 30 days. However, this data also includes attempts to exploit CVE-2021-44228 (Log4 Shell).
- The third vulnerability (CVE-2023-21839) is a high-severity bug in Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, which could allow unauthorized access to sensitive data. Oracle has already issued patches for this flaw in updates released in January 2023.
“While proof-of-concept (PoC) exploits are available for some of these vulnerabilities, there are no public reports of malicious exploitation yet. However, Federal Civilian Executive Branch (FACEBOOK) agencies must apply vendor-provided fixes by May 22, 2023, to ensure their networks are protected against these active threats.”
Is CISA working enough?
It’s worth noting that this advisory comes just over a month after VulnCheck revealed that almost 50 security flaws, likely weaponized in 2022, are missing from the KEV catalog. Most of these vulnerabilities are related to exploitation by Mirai-like botnets, followed by ransomware gangs and other threat actors.
As a final point…
The CISA KEV catalog is a significant driver in the cyber security pool. It can not be considered the definitive source because it has yet to include vulnerabilities currently being exploited. Therefore, there is a need that security professionals must exercise their measures, too, to determine additional sources.