The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday included three security flaws in its catalog of known exploited vulnerabilities (KEVs), citing evidence of active exploitation.
The added vulnerabilities are as follows:
- CVE-2023-48788 (CVSS Score: 9.3) – Fortinet FortiClient EMS SQL Injection Vulnerability
- CVE-2021-44529 (CVSS Score: 9.8) – Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
- CVE-2019-7256 (CVSS Score: 10.0) – Nice Linear eMerge E3-Series OS Command Injection Vulnerability
The issue affecting Fortinet FortiClient EMS came to light earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specially crafted requests.
Fortinet has since revised its advisory to confirm that it was wildly exploited, although no other details about the nature of the attacks are currently available.
CVE-2021-44529, however, concerns a code injection vulnerability in Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) that allows an unauthenticated user to execute malicious code with limited permissions.
Recent research published by security researcher Ron Bowes indicates that the flaw may have been introduced as an intentional backdoor into a now-discontinued open source project called csrf-magic that has existed since at least 2014.
CVE-2019-7256, which allows an attacker to perform remote code execution on Nice Linear eMerge E3 Series access controllers, was exploited by threat actors as early as February 2020.
The flaw, along with 11 other bugs, was fixed by Nice (formerly Nortek) earlier this month. That said, these vulnerabilities were originally disclosed by security researcher Gjoko Krstic in May 2019.
In light of the active exploitation of the three flaws, federal agencies are required to apply vendor-provided mitigations by April 15, 2024.
The development comes as CISA and the Federal Bureau of Investigation (FBI) released a joint advisory, urging software makers to take steps to mitigate SQL injection flaws.
The advisory specifically highlighted the exploitation of CVE-2023-34362, a critical SQL injection vulnerability in Progress Software’s MOVEit Transfer, by the Cl0p (also known as Lace Tempest) ransomware group to breach thousands of organizations.
“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective fixes, software vendors continue to develop products with this flaw, which puts many customers at risk,” the agencies said.