The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two safety flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
The vulnerabilities in query are listed beneath –
- CVE-2017-3066 (CVSS rating: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion within the Apache BlazeDS library that enables for arbitrary code execution. (Mounted in April 2017)
- CVE-2024-20953 (CVSS rating: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that enables a low-privileged attacker with community entry by way of HTTP to compromise the system. (Mounted in January 2024)
There are presently no public experiences referencing the exploitation of the vulnerabilities, though one other flaw impacting Oracle Agile PLM (CVE-2024-21287, CVSS rating: 7.5) got here beneath energetic abuse late final 12 months.
To mitigate the dangers posed by potential assaults weaponizing these flaws, it is advisable that customers take steps to use the required updates. Federal businesses have time till March 17, 2025, to safe their networks in opposition to the threats.
The event comes as risk intelligence agency GreyNoise revealed energetic exploitation makes an attempt concentrating on CVE-2023-20198, a now-patched safety flaw affecting susceptible Cisco gadgets.
As many as 110 malicious IPs, primarily originating from Bulgaria, Brazil, and Singapore have been linked to the malicious exercise.
“Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and america — the identical interval when Salt Typhoon, a Chinese language state-sponsored risk group, reportedly breached telecom networks utilizing CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Analysis Group said.
Source link