The Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities to its Known Exploited Vulnerabilities Catalog, to include iOS, Microsoft, Fortinet, Citrix and Veeam vulnerabilities.
CISA warned “these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.”
As a result, these vulnerabilities have been added to the Catalog based on evidence of active exploitation.
As part of multiple security advisories released on December 13, Apple addressed a type confusion WebKit vulnerability (CVE-2022-42856) in iOS 16.1.2, Safari 16.2, tvOS 16.2, macOS Ventura 13.1, and iOS 15.7.2 and iPadOS 15.7.2.
As a consequence, processing maliciously crafted web content may lead to arbitrary code execution.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” Apple warned.
Defender SmartScreen exploit
Another of the added exploits include a Microsoft Defender SmartScreen Security Feature Bypass vulnerability (CVE-2022-44698). This issue was patched by Microsoft as part of December 2022 patch releases.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft warned in the advisory.
As a result, hackers could host a malicious website in web-based attacks or send phishing emails with embedded URL files, each designed to exploit the security feature bypass.
Microsoft also confirmed “exploitation was detected.”
Moreover, CISA also added a Critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN (CVE-2022-42475) that could allow the execution of unauthorized code or commands.
“Fortinet is aware of an instance where this vulnerability was exploited in the wild,” Fortinet wrote in an advisory and recommended users apply the latest FortiOS version upgrades or workarounds to address the flaw.
Citrix and Veeam exploits
Finally, CISA added the following vulnerabilities to its exploit catalog on December 13, 2022:
- CVE-2022-27518: Critical unauthenticated remote arbitrary code execution vulnerability in Citrix ADC and Citrix Gateway (CVSS 9.8).
- CVE-2022-26500 and CVE-2022-26501: Multiple vulnerabilities in Veeam Backup & Replication could allow executing malicious code remotely without authentication (CVSS 9.3).
Readers can check out the latest details on CISA’s Known Exploited Vulnerabilities Catalog.