The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) catalog, incorporating two critical vulnerabilities impacting Cisco and Windows products, indicating ongoing exploitation by cybercriminals.
-
CVE-2023-20118 (CVSS Score: 6.5) – This command injection vulnerability affects the web management interface of Cisco Small Business RV Series Routers (RV016, RV042, RV042G, RV082, RV320, RV325). Through improper validation of user input in HTTP packets, an authenticated remote attacker can execute arbitrary commands. This exploitation is contingent on having valid administrative credentials but can grant root-level access to unauthorized data.
-
CVE-2018-8639 (CVSS Score: 7.8) – This vulnerability pertains to an elevation of privilege in Windows, resulting from the Win32k component’s inability to manage memory objects properly. Attackers can exploit this flaw to gain elevated privileges, allowing them to execute arbitrary code in kernel mode and effectively control the affected Windows system.
CISA’s advisory mandates that all Federal Civilian Executive Branch (FCEB) agencies must apply the necessary patches by March 24, 2025, in accordance with the November 2021 Binding Operational Directive. It’s worth noting that Cisco has not provided a patch for CVE-2023-20118 due to the affected models reaching their end of life, while Microsoft addressed CVE-2018-8639 in a December 2018 security update.
Organizations utilizing these affected products should take immediate action to bolster their defenses. Recommended measures include disabling remote management, upgrading to the latest firmware, monitoring network activity for anomalies, utilizing strong passwords, restricting access to trusted sources, and implementing multi-layered security strategies.