The US government’s cybersecurity agency CISA on Thursday added another batch of security flaws to its Known Exploited Vulnerabilities (KEV) catalog and urged federal agencies to patch these issues as a matter of urgency.
The already exploited vulnerabilities affect users of the open-source Roundcube webmail server and VMware Aria Operations for Networks.
Exploitation of the open-source mail server Roundcube flaws has been linked to Russian state-sponsored attacks against the Ukrainian government and other high-profile entities in the country.
Threat intelligence firm Recorded Future and Ukraine’s Computer Emergency Response Team (CERT-UA) have attributed the attacks to APT28, a notorious threat actor actor believed to be linked to Russia’s GRU military spy unit.
Tracked as CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026, the exploited flaws are described as cross-site scripting (XSS), remote code execution (RCE), and SQL injection bugs, respectively. Patches and mitigations have been available since at least 2021.
The VMware Aria Operations for Networks vulnerability, tracked as CVE-2023-20887 (CVSS severity score 9.8/10), is a command injection flaw that exposes unpatched systems to remote code execution exploits.
The flaw was patched in early June, but VMware updated its advisory this week to warn of in-the-wild exploitation reported by threat intelligence firm GreyNoise.
In addition to these four issues, CISA expanded its KEV catalog with two older bugs in Mozilla Firefox (CVE-2016-9079) and Microsoft Windows’ kernel-mode driver (CVE-2016-0165).
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
Per Binding Operational Directive (BOD) 22-01, federal agencies are required to identify and patch the vulnerabilities in CISA’s ‘Must Patch’ list within three weeks after they were added to the catalog. In this case, the six bugs should be addressed by July 13, 2023.