The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two security flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
The vulnerabilities in query are listed beneath –
- CVE-2017-3066 (CVSS rating: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion within the Apache BlazeDS library that permits for arbitrary code execution. (Mounted in April 2017)
- CVE-2024-20953 (CVSS rating: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that permits a low-privileged attacker with community entry through HTTP to compromise the system. (Mounted in January 2024)
There are at the moment no public stories referencing the exploitation of the vulnerabilities, though one other flaw impacting Oracle Agile PLM (CVE-2024-21287, CVSS rating: 7.5) got here below energetic abuse late final yr.
To mitigate the dangers posed by potential assaults weaponizing these flaws, it is beneficial that customers take steps to use the mandatory updates. Federal companies have time till March 17, 2025, to safe their networks towards the threats.
The event comes as menace intelligence agency GreyNoise revealed energetic exploitation makes an attempt focusing on CVE-2023-20198, a now-patched security flaw affecting susceptible Cisco units.
As many as 110 malicious IPs, primarily originating from Bulgaria, Brazil, and Singapore have been linked to the malicious exercise.
“Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the US — the identical interval when Salt Storm, a Chinese language state-sponsored menace group, reportedly breached telecom networks utilizing CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Analysis Crew stated.
