The Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its catalog of Known Exploited Vulnerabilities.
Added vulnerabilities include an arbitrary file upload vulnerability in Trend Micro Apex Central; an insufficient access control problem in Dell dbutil Driver; a bad permission vulnerability in QNAP NAS instances running HBS 3; an authentication bypass vulnerability in the Sophos Firewall user and webadmin portal; a vulnerability in Microsoft Windows User Profile Service and two authentication bypass vulnerabilities involving Dasan’s Gigabit Passive Optical Network (GPON) routers.
All of the vulnerabilities have patch dates of April 21, and CISA said all seven additions were “based on evidence of active exploitation.”
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” CISA explained.
Sophos released a security advisory about CVE-2022-1040, noting that it was reported through their bug bounty program and has been fixed.
“Sophos has observed that this vulnerability is being used to target a specific small set of organizations primarily in the South Asia region,” the advisory adds, pointing out that it has a 9.8 CVSS Score.
Trend Micro has also posted their own review on CVE-2022-26871, noting that it has a CVSS score of 8.6.
“Trend Micro has observed active attempt to exploit this vulnerability in the wild (ITW) in a very limited number of cases, and we have already been in contact with these customers. All customers are strongly encouraged to update to the latest version as soon as possible,” the company said.
Bud Broomhead, CEO of security firm Viakoo, said two of the seven vulnerabilities cannot be patched because the product is outdated and the manufacturer is unable to provide a fix, referring to the two vulnerabilities affecting routers. from Dasan.
Dasan told VPNmentor in March that, using its sales records, it estimates that approximately 240,000 units are affected by the vulnerabilities. But they said “given the relative maturity of the products in their life cycle, we believe the impact is limited to even fewer devices.”
“Unlike most known exploited vulnerabilities in the CISA catalog, two of these vulnerabilities (Trend Micro CVE-2022-26871 and Sophos CVE-2022-1040) have been discovered in recent days,” Broomhead explained.
“This means that the time to develop a patch, distribute it and deploy it is much shorter than with others. Organizations should be extremely vigilant with these patches, as the normal testing process may have been rushed given that they are new, exploited, and of high severity.