The US cybersecurity agency CISA on Wednesday warned that a recent critical AMI BMC vulnerability and a FortiOS bug patched over half a decade ago have been exploited in the wild.
Tracked as CVE-2024-54085 (CVSS score of 10/10), the AMI BMC flaw is an authentication bypass issue confirmed to impact HPE, Asus, Asrock, and Lenovo products.
Impacting the Redfish management interface, the security defect could allow attackers to take control of the target machine, deploy malware, modify its firmware, and even damage the motherboard.
AMI released patches for the CVE in March, when several OEMs published advisories to confirm impact. On Wednesday, CISA added it to its Known Exploited Vulnerabilities (KEV) catalog, warning of its in-the-wild exploitation.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until July 17 to identify vulnerable products within their environments and apply the available patches.
There do not appear to be any public reports describing attacks involving the exploitation of CVE-2024-54085. A Shodan search conducted at the time of its disclosure showed that more than 1,000 internet-exposed systems may have been vulnerable to attacks.
Tracked as CVE-2019-6693 (CVSS score of 6.5), the FortiOS security defect exists because a cryptographic key used to encrypt sensitive data is hardcoded in the software.
An attacker with knowledge of the key and access to backup files could decipher the sensitive information, including passwords, passphrases for private keys, and the High Availability password.
The flaw was publicly disclosed in June 2020, along with two similar issues in FortiManager and FortiAnalyzer.
Fortinet addressed the issue in FortiOS versions 5.6.11 and above, 6.0.7 and above, and 6.2.1 and above, which allow administrators to choose to be prompted for a password to be used for the encryption of data in configuration files.
It is worth noting that there have been no other reports of these vulnerabilities being exploited before CISA added them to its KEV list, although technical details on how the FortiOS flaw could be abused for data deciphering were published last year.
The cybersecurity agency also added a security defect in discontinued D-Link DIR-859 routers to KEV. Tracked as CVE-2024-0769 (CVSS score of 9.8) and described as a path traversal issue, the bug has been exploited in the wild for roughly a year.
Related: Organizations Warned of Vulnerability Exploited Against Discontinued TP-Link Routers
Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions
Related: CISA Warns of Ivanti EPM Vulnerability Exploitation
