CISA adds new vulnerabilities to its Known Exploited Vulnerabilities catalog

On April 8, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog with five new security flaws, including three high-severity vulnerabilities in Veritas Backup Exec Agent software. The three flaws, CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878, could enable threat actors to execute privileged commands on the underlying system. These vulnerabilities were addressed in a patch released by Veritas in March 2021.

Mandiant, a Google-owned cybersecurity firm, reported last week that an affiliate associated with the BlackCat ransomware operation has been targeting publicly exposed Veritas Backup Exec installations to gain initial access. This was achieved by exploiting the three Veritas Backup Exec Agent software vulnerabilities mentioned above. Mandiant has been tracking the affiliate actor under the UNC4466 moniker, and it first observed exploitation of the flaws in the wild on October 22, 2022.

The fourth vulnerability added to the KEV catalog is CVE-2019-1388, a privilege escalation flaw in Microsoft Windows Certificate Dialog. This vulnerability could allow threat actors to run processes with elevated permissions on an already compromised host.

The fifth vulnerability added to the list is an information disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083). Google’s Threat Analysis Group (TAG) reported last month that this vulnerability was abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung’s Android smartphones.

FCEB agencies have until April 28, 2023, to apply the patches to secure their networks against potential threats.

In a related development, Apple released updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day vulnerabilities that it said had been exploited in real-world attacks. These two zero-day vulnerabilities, CVE-2023-28205 and CVE-2023-28206, have been added to the KEV catalog, and FCEB agencies have been urged to secure iOS, iPadOS, and macOS devices by May 1, 2023.