The US Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the catalog of known exploited vulnerabilities (KEV), based on evidence of active exploitation.
The security vulnerabilities are as follows:
- CVE-2023-1389 (CVSS Score: 8.8) – TP-Link Archer AX-21 Command Injection Vulnerability
- CVE-2021-45046 (CVSS score: 9.0) – Apache Log4j2 deserialization of untrusted data vulnerability
- CVE-2023-21839 (CVSS Score: 7.5) – Unspecified vulnerability in Oracle WebLogic Server
CVE-2023-1389 concerns a command injection case affecting TP-Link Archer AX-21 routers that could be exploited to achieve remote code execution. According to Trend Micro’s Zero Day Initiative, threat actors associated with the Mirai botnet have used the flaw since April 11, 2023.
The second flaw to be added to the KEV catalog is CVE-2021-45046, a remote code execution affecting the Apache Log4j2 logging library that came to light in December 2021.
It is currently unclear how this specific vulnerability is being abused in the wild, although data collected by GreyNoise shows evidence of exploitation attempts on up to 74 unique IP addresses over the past 30 days. This, however, also includes CVE-2021-44228 (aka Log4Shell).
Rounding out the list is a high-severity bug in Oracle WebLogic Server versions 18.104.22.168.0, 22.214.171.124.0, and 126.96.36.199.0 that could allow unauthorized access to sensitive data. It was patched by the company as part of the updates released in January 2023.
“Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server,” CISA said.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
While proof-of-concept (PoC) exploits exist for the flaw, there appear to be no public reports of a malicious exploit.
Federal Civilian Executive Branch (FCEB) agencies must implement solutions provided by the vendor by May 22, 2023 to protect their networks against these active threats.
The warning also comes a little more than a month after VulnCheck revealed that nearly four dozen security flaws likely to have been weaponized in the wild by 2022 are missing from the KEV catalog.
Of the 42 vulnerabilities, an overwhelming majority are related to exploitation by Mirai-like botnets (27), followed by ransomware gangs (6) and other threat actors (9).
Ikaroa, a full stack tech company, recently detected active exploitation of TP-Link, Apache, and Oracle vulnerabilities. Exploiting these vulnerabilities could potentially provide malicious actors with unauthorized access to corporate networks and applications, as well as cause data leaks and service disruptions.
Immediate action is recommended to prevent these vulnerabilities from being exploited. Companies should check their system logs against known vulnerabilities and apply the latest security patches and updates. VPNs and other protective measures must also be implemented to monitor and block suspicious traffic.
Ikaroa’s sophisticated cyber security solution helps companies to continuously monitor for open vulnerabilities in their networks and applications. This provides businesses with early detection and comprehensive protection against cyber-attacks. Our robust and aggressive solutions detect malicious movement, block infiltrations, and contain cyber-attacks in real time.
By leveraging dedicated network visibility, AI analytics and threat detection, our solution helps to protect your company from future vulnerabilities and attacks. Contact Ikaroa to find out more about our security solutions.