The US cybersecurity agency CISA on Tuesday announced that it has added five more security defects to its Known Exploited Vulnerabilities catalog, warning organizations of attacks exploiting an Adobe Acrobat and Reader flaw that came to light earlier this year.
The Adobe Acrobat and Reader issue is CVE-2023-21608, a use-after-free vulnerability which can be exploited to achieve remote code execution (RCE) with the privileges of the current user.
Adobe released patches for this flaw in January 2023, but numerous proof-of-concept (PoC) exploits and technical write-ups have been published since, creating opportunities for threat actors to start targeting the issue in attacks.
Although there appear to be no public reports describing in-the-wild exploitation of CVE-2023-21608, CISA says it only adds CVEs to the KEV list based on solid proof that exploitation has occurred.
CISA also expanded KEV with CVE-2023-20109, an out-of-bounds write flaw in the Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS and IOS XE.
Also leading to RCE, the bug was patched at the end of September, when Cisco warned that it had observed exploitation attempts targeting it.
On the same day that Microsoft released patches for two zero-days impacting Skype for Business (CVE-2023-41763) and WordPad (CVE-2023-36563), CISA added both flaws to KEV. Neither Microsoft nor CISA have provided details on the observed attacks.
The fifth vulnerability that CISA has added to KEV on Tuesday is a zero-day in the HTTP/2 protocol, which has been exploited in some of the largest distributed denial-of-service (DDoS) attacks to date.
Referred to as HTTP/2 Rapid Reset, the attack method involves repeatedly sending requests and immediately canceling them. All applications and servers running the standard implementation of HTTP/2 are vulnerable to this attack.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA’s warning reads.
As per the Binding Operational Directive (BOD) 22-01, federal agencies have 21 days to identify the vulnerable products within their networks and apply the available patches and mitigations.
CISA’s BOD 22-01 only applies to federal agencies, but CISA encourages all organizations to review the KEV catalog and prioritize remediation of the security defects in it, or discontinue the use of the vulnerable products if mitigations are not available.