The US Cybersecurity and Infrastructure Security Agency (CISA) has added six security vulnerabilities to its Known Exploitable Vulnerabilities (KEV) list, citing evidence of active exploitation.
This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability affecting the Apache Superset open-source data visualization software that could enable remote code execution. This was fixed in version 2.1.
Details of the issue first came to light in April 2023, with Horizon3.ai’s Naveen Sunkavally describing it as a “dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data.”
It is not currently known how this vulnerability is being exploited in the wild. CISA also added five more loopholes –
- CVE-2023-38203 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
- CVE-2023-29300 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
- CVE-2023-41990 (CVSS score: 7.8) – Apple Multiple Products Code Execution Vulnerability
- CVE-2016-20017 (CVSS score: 9.8) – D-Link DSL-2750B Devices Command Injection Vulnerability
- CVE-2023-23752 (CVSS score: 5.3) – Joomla! Improper Access Control Vulnerability
It’s worth noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was used by unknown actors as part of Operation Triangulation spyware attacks to achieve remote code execution when processing a specially crafted iMessage PDF attachment.
Federal Civil Executive Branch (FCEB) agencies have been recommended to implement the fix for the above bug by January 29, 2024 to secure their networks against active threats.
