The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday positioned three security flaws to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerabilities added are as follows –
- CVE-2023-48788 (CVSS rating: 9.3) – Fortinet FortiClient EMS SQL Injection Vulnerability
- CVE-2021-44529 (CVSS rating: 9.8) – Ivanti Endpoint Supervisor Cloud Service Equipment (EPM CSA) Code Injection Vulnerability
- CVE-2019-7256 (CVSS rating: 10.0) – Good Linear eMerge E3-Collection OS Command Injection Vulnerability
The shortcoming impacting Fortinet FortiClient EMS got here to gentle earlier this month, with the corporate describing it as a flaw that might enable an unauthenticated attacker to execute unauthorized code or instructions by way of particularly crafted requests.

Fortinet has since revised its advisory to verify that it has been exploited within the wild, though no different particulars concerning the character of the assaults are presently obtainable.
CVE-2021-44529, alternatively, issues a code injection vulnerability in Ivanti Endpoint Supervisor Cloud Service Equipment (EPM CSA) that permits an unauthenticated person to execute malicious code with restricted permissions.
Latest analysis printed by security researcher Ron Bowes signifies that the flaw might have been launched as an intentional backdoor in a now-discontinued open-source venture referred to as csrf-magic that existed no less than since 2014.
CVE-2019-7256, which allows an attacker to conduct distant code execution on Good Linear eMerge E3-Collection entry controllers, has been exploited by risk actors as early as February 2020.
The flaw, alongside 11 different bugs, had been addressed by Good (previously Nortek) earlier this month. That stated, these vulnerabilities had been initially disclosed by security researcher Gjoko Krstic in Could 2019.
In gentle of the energetic exploitation of the three flaws, federal businesses are required to use the vendor-provided mitigations by April 15, 2024.
The event comes as CISA and the Federal Bureau of Investigation (FBI) launched a joint alert, urging software program producers to take steps to mitigate SQL injection flaws.

The advisory particularly highlighted the exploitation of CVE-2023-34362, a crucial SQL injection vulnerability in Progress Software program’s MOVEit Switch, by the Cl0p ransomware gang (aka Lace Tempest) to breach hundreds of organizations.
“Regardless of widespread information and documentation of SQLi vulnerabilities over the previous 20 years, together with the supply of efficient mitigations, software program producers proceed to develop merchandise with this defect, which places many purchasers in danger,” the businesses stated.