The new vulnerability, tracked as CVE-2023-35081 (CVSS score: 7.8), affects supported versions 11.10, 11.9 and 11.8 as well as versions that are currently at end-of-life (EOL).
“CVE-2023-35081 enables an authenticated administrator to write an arbitrary file on an EPMM server,” the company said in an advisory. “This vulnerability can be used in conjunction with CVE-2023-35078 to bypass administrator authentication and ACLs restrictions (if applicable).”
A successful exploit could allow a threat actor to write arbitrary files to the appliance, thereby enabling the malicious party to execute OS commands as the Tomcat user on the appliance.
“At this time, we are aware of the same limited number of customers affected by CVE-2023-35078 as those affected by CVE-2023-35081,” the company said.
It is worth noting that CVE-2023-35078 is a critical remote unauthenticated API access vulnerability that allows remote attackers to obtain sensitive information, add an EPMM administrative account, and change configuration due to authentication bypass.
Security flaws have been exploited by unknown actors targeting Norwegian government entities, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert urging users and organizations to implement the latest fixes.
The development comes as the Google Project Zero team said that 41 in-the-wild 0-days have been detected and disclosed in 2022, down from 69 in 2021, noting that 17 of those The first were the types of public vulnerabilities.
Google TAG researcher Maddy Stone said, “Similar to the overall number, the number of in-the-wild 0-days targeting browsers declined by 42% from 2021 to 2022, from 26 to 15.”
“Our assessment is that this reflects browser efforts to make exploits more difficult overall as well as a shift in attacker behavior away from browsers toward zero-click exploits that target other components on the device.”