The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two security flaws to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
The vulnerabilities are listed beneath –
- CVE-2012-4792 (CVSS rating: 9.3) – Microsoft Web Explorer Use-After-Free Vulnerability
- CVE-2024-39891 (CVSS rating: 5.3) – Twilio Authy Data Disclosure Vulnerability
CVE-2012-4792 is a decade-old use-after-free vulnerability in Web Explorer that would permit a distant attacker to execute arbitrary code by way of a specifically crafted website.
It is at present not clear if the flaw has been subjected to renewed exploitation makes an attempt, though it was abused as a part of watering gap assaults concentrating on the Council on Overseas Relations (CFR) and Capstone Turbine Company web sites again in December 2012.
Then again, CVE-2024-39891 refers to an info disclosure bug in an unauthenticated endpoint that may very well be exploited to “settle for a request containing a cellphone quantity and reply with details about whether or not the cellphone quantity was registered with Authy.”
Earlier this month, Twilio stated it resolved the difficulty in variations 25.1.0 (Android) and 26.1.0 (iOS) after unidentified risk actors took benefit of the shortcoming to determine knowledge related to Authy accounts.
“All these vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise,” CISA stated in an advisory.
Federal Civilian Government Department (FCEB) businesses are required to remediate the recognized vulnerabilities by August 13, 2024, to guard their networks in opposition to energetic threats.
