The US Cybersecurity & Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities catalog, urging federal agencies and large organizations to apply the available security updates as soon as possible.
Among them are flaws impacting Microsoft .NET Framework and Apache OFBiz (Open For Business), two widely used software applications.
Though the agency has marked those flaws as actively exploited in attacks, it has not provided specific details about the malicious activity, who is conducting it, and against whom.
The first flaw, tracked under CVE-2024-29059, is a high severity (CVSS v3 score: 7.5) information disclosure bug in the .NET Framework discovered by CODE WHITE and disclosed to Microsoft in November 2023.
Microsoft closed the disclosure report in December 2023, stating, “after careful investigation, we determined this case does not meet our bar for immediate servicing.”
However, Microsoft ultimately fixed the flaw in the January 2024 security updates but mistakenly did not issue a CVE or acknowledge the researchers.
In February, CODE WHITE released technical details and a proof of concept exploit for leaking internal object URIs, which can be used to perform .NET Remoting attacks,
Microsoft finally released an advisory for this flaw under CVE-2024-29059 in March 2024 and attributed the discovery to the researchers.
The Apache OFBiz flaw is CVE-2024-45195, a critical severity (CVSS v3 score: 9.8) remote code execution vulnerability impacting OFBiz before 18.12.16.
The flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks.
The flaw was originally discovered by Rapid7, who also presented a proof-of-concept (PoC) exploit, while the vendor fixed it in September 2024.
Users are recommended to upgrade to Apache OFBiz version 18.12.16 or later, which addresses the particular risk.
Now, CISA urges potentially impacted agencies and organizations to apply the available patches and mitigations by February 25, 2025, or stop using the products.
The other two flaws added to KEV this time are CVE-2018-9276 and CVE-2018-19410, both impacting the Paessler PRTG network monitoring software. The issues were fixed in version 18.2.41.1652, released in June 2018.
The first flaw is an OS command injection problem, and the second is a local file inclusion vulnerability. The patching deadline for those, too, was set to February 25, 2025.
Unfortunately, there is no information on how any of these flaws are being exploited in attacks.