CISA Known Exploited Vulnerabilities (KEV)

CVE-2022-41033 - Microsoft Windows COM+ Event System Service Privilege Escalation Vulnerability -

Action Due Nov 01, 2022 Target Vendor : Microsoft

Description : Microsoft Windows COM+ Event System Service contains an unspecified vulnerability that allows for privilege escalation.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41033; https://nvd.nist.gov/vuln/detail/CVE-2022-41033

CVE-2022-41082 - Microsoft Exchange Server Remote Code Execution Vulnerability -

Action Due Oct 21, 2022 Target Vendor : Microsoft

Description : Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which allows for the remote code execution.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Known

Notes : https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/; https://nvd.nist.gov/vuln/detail/CVE-2022-41082

CVE-2022-41040 - Microsoft Exchange Server Server-Side Request Forgery Vulnerability -

Action Due Oct 21, 2022 Target Vendor : Microsoft

Description : Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Known

Notes : https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/; https://nvd.nist.gov/vuln/detail/CVE-2022-41040

CVE-2022-36804 - Atlassian Bitbucket Server and Data Center Command Injection Vulnerability -

Action Due Oct 21, 2022 Target Vendor : Atlassian

Description : Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://jira.atlassian.com/browse/BSERV-13438; https://nvd.nist.gov/vuln/detail/CVE-2022-36804

CVE-2022-3236 - Sophos Firewall Code Injection Vulnerability -

Action Due Oct 14, 2022 Target Vendor : Sophos

Description : A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce; https://nvd.nist.gov/vuln/detail/CVE-2022-3236

CVE-2022-35405 - Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability -

Action Due Oct 13, 2022 Target Vendor : Zoho

Description : Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html; https://nvd.nist.gov/vuln/detail/CVE-2022-35405

CVE-2013-2597 - Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability -

Action Due Oct 06, 2022 Target Vendor : Code Aurora

Description : The Code Aurora audio calibration database (acdb) audio driver contains a stack-based buffer overflow vulnerability that allows for privilege escalation. Code Aurora is used in third-party products such as Qualcomm and Android.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://web.archive.org/web/20161226013354/https:/www.codeaurora.org/news/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597; https://nvd.nist.gov/vuln/detail/CVE-2013-2597

CVE-2013-2596 - Linux Kernel Integer Overflow Vulnerability -

Action Due Oct 06, 2022 Target Vendor : Linux

Description : Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability that allows for privilege escalation.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc9bbca8f650e5f738af8806317c0a041a48ae4a; https://nvd.nist.gov/vuln/detail/CVE-2013-2596

CVE-2013-2094 - Linux Kernel Privilege Escalation Vulnerability -

Action Due Oct 06, 2022 Target Vendor : Linux

Description : Linux kernel fails to check all 64 bits of attr.config passed by user space, resulting to out-of-bounds access of the perf_swevent_enabled array in sw_perf_event_destroy(). Explotation allows for privilege escalation.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f; https://nvd.nist.gov/vuln/detail/CVE-2013-2094

CVE-2010-2568 - Microsoft Windows Remote Code Execution Vulnerability -

Action Due Oct 06, 2022 Target Vendor : Microsoft

Description : Microsoft Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the operating system displays the icon of a malicious shortcut file. An attacker who successfully exploited this vulnerability could execute code as the logged-on user.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046; https://nvd.nist.gov/vuln/detail/CVE-2010-2568

CVE-2022-40139 - Trend Micro Apex One and Apex One as a Service Improper Validation Vulnerability -

Action Due Oct 06, 2022 Target Vendor : Trend Micro

Description : Trend Micro Apex One and Apex One as a Service contain an improper validation of rollback mechanism components that could lead to remote code execution.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://success.trendmicro.com/dcx/s/solution/000291528?language=en_US; https://nvd.nist.gov/vuln/detail/CVE-2022-40139

CVE-2013-6282 - Linux Kernel Improper Input Validation Vulnerability -

Action Due Oct 06, 2022 Target Vendor : Linux

Description : The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This allows an application to read and write kernel memory which could lead to privilege escalation.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8404663f81d212918ff85f493649a7991209fa04; https://nvd.nist.gov/vuln/detail/CVE-2013-6282

CVE-2022-37969 - Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability -

Action Due Oct 05, 2022 Target Vendor : Microsoft

Description : Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for privilege escalation.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969; https://nvd.nist.gov/vuln/detail/CVE-2022-37969

CVE-2022-32917 - Apple iOS, iPadOS, and macOS Remote Code Execution Vulnerability -

Action Due Oct 05, 2022 Target Vendor : Apple

Description : Apple kernel, which is included in iOS, iPadOS, and macOS, contains an unspecified vulnerability where an application may be able to execute code with kernel privileges.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://support.apple.com/en-us/HT213445, https://support.apple.com/en-us/HT213444; https://nvd.nist.gov/vuln/detail/CVE-2022-32917

CVE-2022-27593 - QNAP Photo Station Externally Controlled Reference Vulnerability -

Action Due Sep 29, 2022 Target Vendor : QNAP

Description : Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Known

Notes : https://www.qnap.com/en/security-advisory/qsa-22-24; https://nvd.nist.gov/vuln/detail/CVE-2022-27593

CVE-2022-26258 - D-Link DIR-820L Remote Code Execution Vulnerability -

Action Due Sep 29, 2022 Target Vendor : D-Link

Description : D-Link DIR-820L contains an unspecified vulnerability in Device Name parameter in /lan.asp which allows for remote code execution.

Action : The impacted product is end-of-life and should be disconnected if still in use.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10295; https://nvd.nist.gov/vuln/detail/CVE-2022-26258

CVE-2020-9934 - Apple iOS, iPadOS, and macOS Input Validation Vulnerability -

Action Due Sep 29, 2022 Target Vendor : Apple

Description : Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://support.apple.com/en-us/HT211288, https://support.apple.com/en-us/HT211289; https://nvd.nist.gov/vuln/detail/CVE-2020-9934

CVE-2018-7445 - MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability -

Action Due Sep 29, 2022 Target Vendor : MikroTik

Description : In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://www.coresecurity.com/core-labs/advisories/mikrotik-routeros-smb-buffer-overflow#vendor_update, https://mikrotik.com/download; https://nvd.nist.gov/vuln/detail/CVE-2018-7445

CVE-2018-2628 - Oracle WebLogic Server Unspecified Vulnerability -

Action Due Sep 29, 2022 Target Vendor : Oracle

Description : Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://www.oracle.com/security-alerts/cpuapr2018.html; https://nvd.nist.gov/vuln/detail/CVE-2018-2628

CVE-2018-13374 - Fortinet FortiOS and FortiADC Improper Access Control Vulnerability -

Action Due Sep 29, 2022 Target Vendor : Fortinet

Description : Fortinet FortiOS and FortiADC contain an improper access control vulnerability that allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server.

Action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns? : Known

Notes : https://www.fortiguard.com/psirt/FG-IR-18-157; https://nvd.nist.gov/vuln/detail/CVE-2018-13374