Security News > 2023 > March > CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems
2023-03-08 06:30

The U.S. Cybersecurity and Infrastructure Security Agency has added three security flaws to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation.

The most critical of the three is CVE-2022-35914, which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI, an open source asset and IT management software package.

Lastly, also added to the KEV catalog is a remote code execution flaw in Zoho ManageEngine ADSelfService Plus that was patched in April 2022.

"Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset," CISA said.

Cybersecurity company Rapid7, which discovered the bug, said it detected active exploitation attempts by threat actors to "Execute arbitrary OS commands in order to gain persistence on the underlying system and attempt to pivot further into the environment."

The development comes as API security firm Wallarm said it has found ongoing exploit attempts of two VMware NSX Manager flaws since December 2022 that could be leveraged to execute malicious code, and siphon sensitive data.


News URL

https://thehackernews.com/2023/03/cisas-kev-catalog-updated-with-3-new.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-09-19 CVE-2022-35914 Injection vulnerability in Glpi-Project Glpi
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
network
low complexity
glpi-project CWE-74
critical
 9.8
9.8