The US cybersecurity company CISA on Tuesday added a number of flaws to its Recognized Exploited Vulnerabilities (KEV) catalog, together with a .NET vulnerability patched final 12 months.
The .NET vulnerability added to the company’s KEV record is CVE-2024-29059, an info disclosure concern that may result in unauthenticated distant code execution.
Microsoft patched the vulnerability in January 2024, and particulars and a proof-of-concept (PoC) exploit have been made public a number of weeks later.
At the very least one cybersecurity agency added detections for CVE-2024-29059 exploitation makes an attempt to its merchandise final 12 months, however there don’t look like any public studies describing assaults that contain this vulnerability.
Microsoft has but to replace its advisory to point that the vulnerability has been publicly disclosed and exploited, however the tech big’s preliminary advisory does assign an exploitation evaluation of ‘exploitation extra probably’.
CISA additionally added two outdated Paessler PRTG Community Monitor vulnerabilities to the KEV catalog: CVE-2018-9276, an OS command injection concern, and CVE-2018-19410, an area file inclusion flaw.
These vulnerabilities have been patched in 2018 and their exploitation for arbitrary code/command execution requires admin privileges to the PRTG system administrator console. There don’t look like any public studies describing exploitation of those security holes.
CISA has additionally added CVE-2024-45195, a distant code execution bug affecting Apache OFBiz, to its KEV catalog. This isn’t stunning, contemplating that CVE-2024-45195 is a variant of a flaw that has been recognized to be exploited for the reason that summer season of 2024.
Nevertheless, there nonetheless don’t look like any public studies describing the assaults involving exploitation of CVE-2024-45195.
