The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security vulnerabilities affecting Cisco and Windows products to its Known Exploited Vulnerabilities (KEV) catalog, on Monday, warning organizations of active exploitation by malicious actors.
The two below-mentioned vulnerabilities, which have been added to the KEV based on evidence of exploit campaigns, are frequent attack vectors for malicious cyber actors, and pose significant risks to organizations. These are:
CVE-2023-20118 (CVSS Score: 6.5) – Cisco Small Business RV Series Routers Command Injection Vulnerability:
This flaw exists in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers.
The vulnerability allows an authenticated, remote attacker to execute arbitrary commands on an affected device, which is due to improper validation of user input within incoming HTTP packets.
This vulnerability can be exploited by the attacker by sending a specially crafted HTTP request to the web-based management interface.
If successful, the attacker could obtain root-level privileges and access unauthorized data. However, exploitation requires valid administrative credentials on the affected device.
CVE-2018-8639 (CVSS Score: 7.8) – Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability:
This flaw is an elevation of privilege vulnerability, which exists in Windows when the Win32k component fails to properly handle objects in memory, aka “Win32k Elevation of Privilege Vulnerability.”
Exploiting this vulnerability can allow local attackers to gain elevated privileges and potentially run arbitrary code in kernel mode, effectively taking control of the affected Windows system.
According to a security advisory issued by Microsoft in December 2018, the CVE-2018-8639 vulnerability affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, and Windows 10 Servers.
In response to the active exploitation of these vulnerabilities, CISA has mandated all Federal Civilian Executive Branch (FCEB) agencies, as per the November 2021 Binding Operational Directive (BOD) 22-01, to apply the patches by March 24, 2025, to mitigate the identified vulnerabilities and protect their networks against potential threats.
As far as the CVE-2023-20118 vulnerability is concerned, Cisco has not released a patch to fix it, as the affected models have reached their end-of-life (EoL).
On the other hand, Microsoft patched the CVE-2018-8639 vulnerability in December 2018 with a Microsoft Windows security update.
Organizations using these products are advised to take immediate defensive actions, such as disabling remote management, upgrading to the latest firmware, monitoring for unusual network activity, using strong credentials like complex passwords, restricting access to trusted sources, and implementing multi-layered defense strategies.
