CISA adds Critical WatchGuard and Microsoft AD flaws to Catalog of exploited vulnerabilities

cyber security, information security, data privacy-3400657.jpg

The Cybersecurity and Infrastructure Security Agency (CISA) has added a Critical WatchGuard and two Microsoft Active Directory (AD) flaws, along with five other vulnerabilities to its Known Exploited Vulnerabilities Catalog.

An attacker could exploit these vulnerabilities to take over impacted systems.

WatchGuard CVE-2022-23176

According to CISA, one of exploited flaws is the authentication bypass vulnerability CVE-2022-23176 that affects WatchGuard Firebox and XTM devices.

“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” WatchGuard explained in the advisory.

WatchGuard previously released firmware updates for affected products as noted in the NIST security advisory for CVE-2022-23176 (CVSS score 8.8):

Back on February 23, 2022, WatchGuard wrote in a blog post that the company worked with CISA, the Federal Bureau of Investigation (FBI) and other authorities to investigate Cyclops Blink, an advanced modular botnet allegedly linked to Sandworm APT group and new attacks against limited number of WatchGuard firewall appliances.

Sandworm threat actors were also recently discovered earlier this year using Cyclops Blink in cyber attacks against small office/home office (SOHO) routers and network attached storage (NAS) devices.

WatchGuard also developed tools to help remediate the Cyclops Blink malware:

“In response to this sophisticated, state-sponsored botnet, WatchGuard has developed and released a set of simple and easy-to-use Cyclops Blink detection tools, as well as a 4-Step process to help customers diagnose, remediate if necessary, and prevent future infection.”

AD and other exploited vulnerabilities

Moreover, CISA also added the following seven exploited vulnerabilities to the Catalog:

CVEVulnerability Name
CVE-2021-42287Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVE-2021-42278Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVE-2021-39793Google Pixel Out-of-Bounds Write Vulnerability
CVE-2021-27852Checkbox Survey Deserialization of Untrusted Data Vulnerability
CVE-2021-22600Linux Kernel Privilege Escalation Vulnerability
CVE-2020-2509QNAP Network-Attached Storage (NAS) Command Injection Vulnerability
CVE-2017-11317Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability

The two Microsoft Active Directory (AD) vulnerabilities (CVE-2021-42287 and CVE-2021-42278) should also be prioritized for remediation given the criticality of AD in most enterprise organizations. Not to mention the history of other severe hacker exploits against AD domain controllers or related services, such as Zerologon (CVE-2020-1472).

Another of the notable exploited issues is the QNAP command injection vulnerability (CVE-2020-2509). This issue could allow a remote attacker with access to the web server (default port 8080) to execute arbitrary shell commands, without prior knowledge of the web credentials.

Readers can check out the most recent CISA post on April 11, 2022, as well the complete Known Exploited Vulnerabilities Catalog.

Related Articles