The Cybersecurity and Infrastructure Security Agency (CISA) has added one Microsoft Exchange and one Windows zero-day vulnerability to its Known Exploited Vulnerabilities Catalog.
CISA warned “these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.”
As a result, these vulnerabilities have been added to the Catalog based on evidence of active exploitation.
The two Microsoft vulnerabilities added to the catalog are as follows:
- CVE-2022-41080: Microsoft Exchange Server Privilege Escalation Vulnerability (CVSS 8.8).
- CVE-2023-21674: Microsoft Windows Advanced Local Procedure Call (ALPC) Privilege Escalation Vulnerability (CVSS 8.8).
Microsoft patched CVE-2022-41080 back in November 2022 and warned in the advisory at that time the Critical EoP vulnerability was “more likely” to be exploited.
Regarding CVE-2023-21674, this zero-day vulnerability could lead to a browser sandbox escape and could allow an attacker to successfully exploit this vulnerability and gain SYSTEM privileges.
The latter was patched as part of this month’s (January 2023) patch Tuesday release, that includes 98 total vulnerability updates.
Microsoft confirmed in the advisory “Exploitation Detected.”
Readers can check out the latest details on CISA’s Known Exploited Vulnerabilities Catalog.
- Microsoft January 2023 Security Updates addresses 98 vulnerabilities (11 rated Critical)
- Adobe security updates for Adobe Acrobat and Reader (and other products)
- Apple patches vulnerabilities in iOS 16.2, macOS Ventura 13.1 and other products
- Google fixes Chrome 108 zero-day vulnerability (CVE-2022-4262) exploited in the wild