The Cybersecurity and Infrastructure Security Agency (CISA) has added 8 vulnerabilities to its Known Exploited Vulnerabilities Catalog, to include Apple iOS, Google Chrome, Cisco AnyConnect Secure, and Gigabyte vulnerabilities.
An attacker could exploit these vulnerabilities to take control of impacted systems.
Chrome 107 zero-day
CISA added one Chrome 107 High severity ‘Type Confusion in V8’ vulnerability (CVE-2022-3723) to the list of known exploited vulnerabilities on October 28, 2022.
Google released a Chrome 107 security update on October 27, 2022 and warned it “is aware of reports that an exploit for CVE-2022-3723 exists in the wild.”
Apple iOS and iPad zero-day
CISA added a more recently fixed zero-day Apple iOS/iPad vulnerability CVE-2022-42827 on October 25, 2022.
The latest iOS 16.1 and iPadOS 16 security update, released on October 24, addressed a zero-day ‘out-of-bounds write issue’ vulnerability CVE-2022-42827 could allow an application to execute arbitrary code with kernel privileges.
“Apple is aware of a report that this issue may have been actively exploited,” Apple warned.
The updates are available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later models.
Cisco AnyConnect vulnerabilities
CISA also added two Cisco AnyConnect vulnerabilities to the Exploited Catalog as of October 24, 2022:
- CVE-2020-3433: Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability (CVSS 7.8)
- CVE-2020-3153: Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability (CVSS 6.5).
Although Cisco released an advisory for each of these issues in early 2020, Cisco released an update on October 25, 2022 that it has “became aware of active exploitation attempts.”
CISA also added multiple Gigabyte vulnerabilities to its Known Exploited Vulnerabilities Catalog on October 24, 2022:
- CVE-2018-19323: GIGABYTE Multiple Products Privilege Escalation Vulnerability (CVSS 7.8)
- CVE-2018-19322: GIGABYTE Multiple Products Code Execution Vulnerability (CVSS 7.8)
- CVE-2018-19321: GIGABYTE Multiple Products Privilege Escalation Vulnerability (CVSS 7.8)
- CVE-2018-19320: GIGABYTE Multiple Products Unspecified Vulnerability (CVSS 9.8).
Readers can check out more details on all recent vulnerabilities added to CISA’s Known Exploited Vulnerabilities Catalog.