The US cybersecurity agency CISA added Sophos, Oracle and Microsoft product flaws to its Known Exploited Vulnerabilities (KEV) catalog on Thursday.
The Sophos flaw that the agency says has been exploited in attacks is CVE-2023-1671, a critical Sophos Web Appliance vulnerability that can be exploited by an unauthenticated attacker for arbitrary code execution.
Sophos announced patches in April, when it also informed customers that the impacted appliance would reach end of life on July 20, 2023.
There do not appear to be any public reports describing attacks exploiting CVE-2023-1671 and Sophos could not provide clarifications to SecurityWeek by the time this article was published.
It’s not uncommon for threat actors to exploit Sophos product vulnerabilities in their attacks. Some attacks have been linked to a Chinese APT and targeted government and other organizations in South Asia.
CISA’s KEV list currently includes four other Sophos product vulnerabilities, found in 2020 and 2022.
The second vulnerability added to CISA’s KEV list on Thursday is CVE-2020-2551, an Oracle WebLogic Server flaw that can be exploited by unauthenticated attackers to take control of affected servers.
CVE-2020-2551 was one of the four vulnerabilities targeted for initial compromise by a Chinese threat actor, according to a blog post published in early June by threat intelligence company EclecticIQ. The attacks seen by the security firm were aimed at government and critical infrastructure organizations in Taiwan.
It’s worth noting that at the time of writing CVE-2020-2551 is erroneously referenced as CVE-2023-2551 in an alert published by CISA. The correct CVE identifier is used in the KEV catalog, but not in the alert.
CISA on Thursday also added CVE-2023-36584 to its KEV catalog. This vulnerability allows attackers to bypass the Mark of the Web (MotW) security feature in Windows.
Details of the vulnerability were disclosed on November 13 by Palo Alto Networks, whose researchers discovered the flaw. The researchers identified CVE-2023-36584 during an analysis of attacks launched by a Russia-linked APT, which leveraged a different MotW bypass flaw tracked as CVE-2023-36884, whose exploitation came to light in July.
However, Palo Alto Networks’ blog post does not clearly state that CVE-2023-36584 has been exploited as well. In addition, Microsoft’s October 10 advisory says the vulnerability has not been exploited.
It’s unclear if CISA has other evidence of exploitation for CVE-2023-36884 or if it may have misinterpreted Palo Alto Networks’ blog post. The agency says it only adds vulnerabilities to its KEV catalog if it has reliable evidence of exploitation, but it has been known to remove CVEs from the list.
Related: Samsung Phone Flaws Added to CISA ‘Must Patch’ List Likely Exploited by Spyware Vendor
Related: Government Shutdown Could Bench 80% of CISA Staff
Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative
