Security News > 2022 > February > NHS urges orgs to apply security update for Okta Client RCE bug
The UK's NHS Digital agency is warning organizations to apply new security updates for a remote code execution vulnerability in the Windows client for the Okta Advanced Server Access authentication management platform.
"NHS Digital is the national digital, data and technology delivery partner for the NHS and social care system," explains the website for NHS Digital.
In an NHS Digital Cyber Alert released yesterday, all organizations are advised to apply the latest patches for the Okta Advanced Server Client to fix an RCE vulnerability disclosed last week.
Last week, Okta disclosed a new remote code execution vulnerability tracked as CVE-2022-24295, allowing remote attackers to perform command injection via a specially crafted URL. Remote code execution attacks can lead to complete system control, perform silent data exfiltration, lateral network movement, and initial access to corporate networks.
Okta released Advanced Server Access Client version 1.57.0 last week, but the application of available security updates needs to pick up pace as threat actors are likely to start scanning the web to find vulnerable deployments.
The vendor hasn't provided any mitigations or workarounds, so the remediation advice is limited to updating to the latest client available from Okta.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-21 | CVE-2022-24295 | Code Injection vulnerability in Okta Advanced Server Access Client for Windows Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL. | 8.8 |