www.cisa.gov
Open in
urlscan Pro
2a02:26f0:3500:891::447a
Public Scan
URL:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a
Submission: On November 13 via api from TR — Scanned from DE
Submission: On November 13 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Free Cyber ServicesElection Threat Updates#protect2024Secure Our WorldShields
UpReport A Cyber Issue
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
CISA Conferences
CISA Live!
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
CISA Central
2023 Year In Review
Contact Us
Subscribe
Free Cyber ServicesElection Threat Updates#protect2024Secure Our WorldShields
UpReport A Cyber Issue
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Cybersecurity Advisory
Share:
Cybersecurity Advisory
2023 TOP ROUTINELY EXPLOITED VULNERABILITIES
Release Date
November 12, 2024
Alert Code
AA24-317A
SUMMARY
The following cybersecurity agencies coauthored this joint Cybersecurity
Advisory (hereafter collectively referred to as the authoring agencies):
* United States: The Cybersecurity and Infrastructure Security Agency (CISA),
the Federal Bureau of Investigation (FBI), and National Security Agency (NSA)
* Australia: Australian Signals Directorate’s Australian Cyber Security Centre
(ACSC)
* Canada: Canadian Centre for Cyber Security (CCCS)
* New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and
Computer Emergency Response Team New Zealand (CERT NZ)
* United Kingdom: National Cyber Security Centre (NCSC-UK)
This advisory provides details, collected and compiled by the authoring
agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and
frequently exploited by malicious cyber actors in 2023 and their associated
Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more
zero-day vulnerabilities to compromise enterprise networks in 2023 compared to
2022, allowing them to conduct operations against high priority targets.
The authoring agencies strongly encourage vendors, designers, developers, and
end-user organizations to implement the following recommendations, and those
found within the Mitigations section of this advisory, to reduce the risk of
compromise by malicious cyber actors.
* Vendors, designers, and developers. Implement secure by design and default
principles and tactics to reduce the prevalence of vulnerabilities in your
software.
* Follow the SP 800-218 Secure Software Development Framework (SSDF) and
implement secure by design practices into each stage of the software
development life cycle (SDLC). Establish a coordinated vulnerability
disclosure program that includes processes to determine root causes of
discovered vulnerabilities.
* Prioritize secure by default configurations, such as eliminating default
passwords and not requiring additional configuration changes to enhance
product security.
* Ensure that published CVEs include the proper CWE field, identifying the
root cause of the vulnerability.
* End-user organizations:
* Apply timely patches to systems.
Note: If CVEs identified in this advisory have not been patched, check for
signs of compromise before patching.
* Implement a centralized patch management system.
* Use security tools such as endpoint detection and response (EDR), web
application firewalls, and network protocol analyzers.
* Ask your software providers to discuss their secure by design program,
provide links to information about how they are working to remove classes
of vulnerabilities, and to set secure default settings.
PURPOSE
The authoring agencies developed this document in furtherance of their
respective cybersecurity missions, including their responsibilities to develop
and issue cybersecurity specifications and mitigations.
Download the PDF version of this report:
AA24-317A 2023 Top Routinely Exploited Vulnerabilities (PDF, 907.24 KB )
TECHNICAL DETAILS
KEY FINDINGS
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to
compromise enterprise networks compared to 2022, allowing them to conduct cyber
operations against higher-priority targets. In 2023, the majority of the most
frequently exploited vulnerabilities were initially exploited as a zero-day,
which is an increase from 2022, when less than half of the top exploited
vulnerabilities were exploited as a zero-day.
Malicious cyber actors continue to have the most success exploiting
vulnerabilities within two years after public disclosure of the vulnerability.
The utility of these vulnerabilities declines over time as more systems are
patched or replaced. Malicious cyber actors find less utility from zero-day
exploits when international cybersecurity efforts reduce the lifespan of
zero-day vulnerabilities.
CYBERSECURITY EFFORTS TO INCLUDE
Implementing security-centered product development lifecycles. Software
developers deploying patches to fix software vulnerabilities is often a lengthy
and expensive process, particularly for zero-days. The use of more robust
testing environments and implementing threat modeling throughout the product
development lifecycle will likely reduce overall product vulnerabilities.
Increasing incentives for responsible vulnerability disclosure. Global efforts
to reduce barriers to responsible vulnerability disclosure could restrict the
utility of zero-day exploits used by malicious cyber actors. For example,
instituting vulnerability reporting bug bounty programs that allow researchers
to receive compensation and recognition for their contributions to vulnerability
research may boost disclosures.
Using sophisticated endpoint detection and response (EDR) tools. End
users leveraging EDR solutions may improve the detection rate of zero-day
exploits. Most zero-day exploits, including at least three of the top 15
vulnerabilities from last year, have been discovered when an end user or EDR
system reports suspicious activity or unusual device malfunctions.
Top Routinely Exploited Vulnerabilities
Listed in Table 1 are the top 15 vulnerabilities the authoring agencies observed
malicious cyber actors routinely exploiting in 2023 with details also discussed
below.
* CVE-2023-3519(link is external): This vulnerability affects Citrix NetScaler
ADC and NetScaler Gateway.
* Allows an unauthenticated user to cause a stack buffer overflow in the
NSPPE process by using a HTTP GET request.
* CVE-2023-4966(link is external): This vulnerability affects Citrix NetScaler
ADC and NetScaler Gateway.
* Allows session token leakage; a proof-of-concept for this exploit was
revealed in October 2023.
* CVE-2023-20198(link is external): This vulnerability affects Cisco IOS XE Web
UI.
* Allows unauthorized users to gain initial access and issue a command to
create a local user and password combination, resulting in the ability to
log in with normal user access.
* CVE-2023-20273(link is external): This vulnerability affects Cisco IOS XE,
following activity from CVE-2023-20198.
* Allows privilege escalation, once a local user has been created, to root
privileges.
* CVE-2023-27997(link is external): This vulnerability affects Fortinet FortiOS
and FortiProxy SSL-VPN.
* Allows a remote user to craft specific requests to execute arbitrary code
or commands.
* CVE-2023-34362(link is external): This vulnerability affects Progress MOVEit
Transfer.
* Allows abuse of an SQL injection vulnerability to obtain a sysadmin API
access token.
* Allows a malicious cyber actor to obtain remote code execution via this
access by abusing a deserialization call.
* CVE-2023-22515(link is external): This vulnerability affects Atlassian
Confluence Data Center and Server.
* Allows exploit of an improper input validation issue.
* Arbitrary HTTP parameters can be translated into getter/setter sequences
via the XWorks2 middleware and, in turn, allow Java objects to be
modified at run time.
* The exploit creates a new administrator user and uploads a malicious
plugin to get arbitrary code execution.
* CVE-2021-44228(link is external): This vulnerability, known as Log4Shell,
affects Apache’s Log4j library, an open source logging framework incorporated
into thousands of products worldwide.
* Allows the execution of arbitrary code.
* An actor can exploit this vulnerability by submitting a specially crafted
request to a vulnerable system, causing the execution of arbitrary code.
* The request allows a cyber actor to take full control of a system.
* The actor can then steal information, launch ransomware, or conduct other
malicious activity.
* Malicious cyber actors began exploiting the vulnerability after it was
publicly disclosed in December 2021.
* CVE-2023-2868(link is external): This is a remote command injection
vulnerability that affects the Barracuda Networks Email Security Gateway
(ESG) Appliance.
* Allows an individual to obtain unauthorized access and remotely execute
system commands via the ESG appliance.
* CVE-2022-47966: This is an unauthenticated remote code execution
vulnerability that affects multiple products using Zoho ManageEngine.
* Allows an unauthenticated user to execute arbitrary code by providing a
crafted samlResponse XML to the ServiceDesk Plus SAML endpoint.
* CVE-2023-27350(link is external): This vulnerability affects PaperCut MF/NG.
* Allows a malicious cyber actor to chain an authentication bypass
vulnerability with the abuse of built-in scripting functionality to execute
code.
* CVE-2020-1472(link is external): This vulnerability affects Microsoft
Netlogon.
* Allows privilege escalation.
* An unauthorized user may use non-default configurations to establish a
vulnerable Netlogon secure channel connection to a domain controller by
using the Netlogon Remote Protocol.
Note: This CVE has been included in top routinely exploited
vulnerabilities lists since 2021.
* CVE-2023-42793(link is external): This vulnerability can affect JetBrains
TeamCity servers.
* Allows authentication bypass that allows remote code execution against
vulnerable JetBrains TeamCity servers.
* CVE-2023-23397(link is external): This vulnerability affects Microsoft Office
Outlook.
* Allows elevation of privilege.
* A threat actor can send a specially crafted email that the Outlook client
will automatically trigger when Outlook processes it.
* This exploit occurs even without user interaction.
* CVE-2023-49103(link is external): This vulnerability affects ownCloud
graphapi.
* Allows unauthenticated information disclosure.
* An unauthenticated user can access sensitive data such as admin
passwords, mail server credentials, and license keys.
Table 1: Top 15 Routinely Exploited Vulnerabilities in 2023 CVE Vendor
Product(s) Vulnerability Type CWE CVE CVE-2023-3519(link is external) Vendor
Citrix Product(s)
NetScaler ADC
NetScaler Gateway
Vulnerability Type Code Injection CWE CWE-94: Improper Control of Generation of
Code ('Code Injection')(link is external) CVE CVE-2023-4966(link is external)
Vendor Citrix Product(s)
NetScaler ADC
NetScaler Gateway
Vulnerability Type Buffer Overflow CWE CWE-119: Improper Restriction of
Operations within the Bounds of a Memory Buffer(link is external) CVE
CVE-2023-20198(link is external) Vendor Cisco Product(s) IOS XE Web UI
Vulnerability Type Privilege Escalation CWE CWE-420: Unprotected Alternate
Channel(link is external) CVE CVE-2023-20273(link is external) Vendor Cisco
Product(s) IOS XE Vulnerability Type Web UI Command Injection CWE CWE-78:
Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection')(link is external) CVE CVE-2023-27997(link is external) Vendor
Fortinet Product(s)
FortiOS
FortiProxy SSL-VPN
Vulnerability Type Heap-Based Buffer Overflow CWE
CWE-787: Out-of-bounds Write(link is external)
CWE-122: Heap-based Buffer Overflow(link is external)
CVE CVE-2023-34362(link is external) Vendor Progress Product(s) MOVEit Transfer
Vulnerability Type SQL Injection CWE CWE-89: Improper Neutralization of Special
Elements used in an SQL Command ('SQL Injection')(link is external) CVE
CVE-2023-22515(link is external) Vendor Atlassian Product(s) Confluence Data
Center and Server Vulnerability Type Broken Access Control CWE CWE-20 Improper
Input Validation(link is external) CVE
CVE-2021- 44228(link is external)
(Log4Shell)
Vendor Apache Product(s) Log4j2 Vulnerability Type Remote Code Execution (RCE)
CWE
CWE-917 Improper Neutralization of Special Elements used in an Expression
Language Statement ('Expression Language Injection')(link is external)
CWE-502: Deserialization of Untrusted Data(link is external)
CWE-20 Improper Input Validation(link is external)
CWE-400 Uncontrolled Resource Consumption(link is external)
CVE CVE-2023-2868(link is external) Vendor Barracuda Networks Product(s) ESG
Appliance Vulnerability Type Improper Input Validation CWE
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command
Injection')(link is external)
CWE-20: Improper Input Validation(link is external)
CVE CVE-2022-47966(link is external) Vendor Zoho Product(s) ManageEngine
Multiple Products Vulnerability Type Remote Code Execution CWE CWE-20 Improper
Input Validation(link is external) CVE CVE-2023-27350(link is external) Vendor
PaperCut Product(s) MF/NG Vulnerability Type Improper Access Control CWE
CWE-284: Improper Access Control(link is external) CVE CVE-2020-1472(link is
external) Vendor Microsoft Product(s) Netlogon Vulnerability Type Privilege
Escalation CWE CWE-330: Use of Insufficiently Random Values(link is external)
CVE CVE-2023-42793(link is external) Vendor JetBrains Product(s) TeamCity
Vulnerability Type Authentication Bypass CWE CWE-288: Authentication Bypass
Using an Alternate Path or Channel(link is external) CVE CVE-2023-23397(link is
external) Vendor Microsoft Product(s) Office Outlook Vulnerability Type
Privilege Escalation CWE
CWE-294: Authentication Bypass by Capture-replay(link is external)
CWE-20: Improper Input Validation(link is external)
CVE CVE-2023-49103(link is external) Vendor ownCloud Product(s) graphapi
Vulnerability Type Information Disclosure CWE CWE-200 Exposure of Sensitive
Information to an Unauthorized Actor(link is external)
ADDITIONAL ROUTINELY EXPLOITED VULNERABILITIES
The authoring agencies identified other vulnerabilities, listed in Table 2, that
malicious cyber actors also routinely exploited in 2023—in addition to the 15
vulnerabilities listed in Table 1.
Table 2: Additional Routinely Exploited Vulnerabilities in 2023 CVE Vendor
Product Vulnerability Type CWE CVE CVE-2023-22518(link is external) Vendor
Atlassian Product Confluence Data Center and Server Vulnerability Type
Improper Authorization CWE CWE-863: Incorrect Authorization(link is external)
CVE CVE-2023- 29492(link is external) Vendor Novi Product Novi Survey
Vulnerability Type Insecure Deserialization CWE CWE-94 Improper Control of
Generation of Code ('Code Injection')(link is external) CVE CVE-2021-27860(link
is external) Vendor FatPipe Product WARP, IPVPN, and MPVPN Vulnerability Type
Configuration Upload Exploit CWE CWE-434: Unrestricted Upload of File with
Dangerous Type(link is external) CVE CVE-2021-40539(link is external) Vendor
Zoho Product ManageEngine ADSelfService Plus Vulnerability Type Authentication
Bypass CWE CWE-706: Use of Incorrectly-Resolved Name or Reference(link is
external) CVE CVE-2023-0669(link is external) Vendor Fortra Product GoAnywhere
MFT Vulnerability Type RCE CWE CWE-502: Deserialization of Untrusted Data(link
is external) CVE CVE-2021-22986(link is external) Vendor F5 Product BIG-IP and
BIG-IQ Centralized Management iControl REST Vulnerability Type RCE CWE CWE-918:
Server-Side Request Forgery (SSRF)(link is external) CVE CVE-2019-0708(link is
external) Vendor Microsoft Product Remote Desktop Services Vulnerability Type
RCE CWE CWE-416: Use After Free(link is external) CVE CVE-2018-13379(link is
external) Vendor Fortinet Product FortiOS SSL VPN Vulnerability Type Path
Traversal CWE CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')(link is external) CVE CVE-2022-31199(link is
external) Vendor Netwrix Product Auditor Vulnerability Type Insecure Object
Deserialization CWE CWE-502: Deserialization of Untrusted Data(link is external)
CVE CVE-2023-35078(link is external) Vendor Ivanti Product Endpoint Manager
Mobile Vulnerability Type Authentication Bypass CWE CWE-287: Improper
Authentication(link is external) CVE CVE-2023-35081(link is external) Vendor
Ivanti Product Endpoint Manager Mobile (EPMM) Vulnerability Type Path
Traversal CWE CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')(link is external) CVE CVE-2023-44487(link is
external) Vendor N/A Product HTTP/2 Vulnerability Type Rapid Reset Attack CWE
CWE-400: Uncontrolled Resource Consumption(link is external) CVE
CVE-2023-36844(link is external) Vendor Juniper Product Junos OS EX Series PHP
Vulnerability Type External Variable Modification CWE CWE-473: PHP External
Variable Modification(link is external) CVE CVE-2023-36845(link is external)
Vendor Juniper Product Junos OS EX Series and SRX Series PHP Vulnerability
Type External Variable Modification CWE CWE-473: PHP External Variable
Modification(link is external) CVE CVE-2023-36846(link is external) Vendor
Juniper Product Junos OS SRX Series Vulnerability Type Missing Authentication
for Critical Function CWE CWE-306: Missing Authentication for Critical
Function(link is external) CVE CVE-2023-36847(link is external) Vendor Juniper
Product Junos OS EX Series Vulnerability Type Missing Authentication for
Critical Function CWE CWE-306: Missing Authentication for Critical Function(link
is external) CVE CVE-2023-41064(link is external) Vendor Apple Product iOS,
iPadOS, and macOS ImageIO Vulnerability Type Buffer Overflow CWE CWE-120: Buffer
Copy without Checking Size of Input ('Classic Buffer Overflow')(link is
external) CVE CVE-2023-41061(link is external) Vendor Apple Product Apple iOS,
iPadOS, and watchOS Wallet Vulnerability Type Code Execution CWE CWE-20
Improper Input Validation(link is external) CVE CVE-2021-22205(link is external)
Vendor GitLab Product Community and Enterprise Editions Vulnerability Type RCE
CWE CWE-94: Improper Control of Generation of Code ('Code Injection')(link is
external) CVE CVE-2019-11510(link is external) Vendor Ivanti Product Pulse
Connect Secure Vulnerability Type Arbitrary File Read CWE CWE-22: Improper
Limitation of a Pathname to a Restricted Directory ('Path Traversal')(link is
external) CVE CVE-2023-6448 (link is external) Vendor Unitronics Product Vision
PLC and HMI Vulnerability Type Insecure Default Password CWE
CWE-798: Use of Hard-coded Credentials(link is external)
CWE-1188: Initialization of a Resource with an Insecure Default(link is
external)
CVE CVE-2017-6742(link is external) Vendor Cisco Product IOS and IOS XE
Software SNMP Vulnerability Type RCE CWE CWE-119: Improper Restriction of
Operations within the Bounds of a Memory Buffer(link is external) CVE
CVE-2021-4034(link is external) Vendor Red Hat Product Polkit Vulnerability
Type Out-of-Bounds Read and Write CWE
CWE-125: Out-of-bounds Read(link is external)
CWE-787: Out-of-bounds Write(link is external)
CVE CVE-2021-26084(link is external) Vendor Atlassian Product Confluence Server
and Data Center Vulnerability Type Object-Graph Navigation Language (OGNL)
Injection CWE CWE-917: Improper Neutralization of Special Elements used in an
Expression Language Statement ('Expression Language Injection')(link is
external) CVE CVE-2021-33044(link is external) Vendor Dahua Product Various
products Vulnerability Type Authentication Bypass CWE CWE-287: Improper
Authentication(link is external) CVE CVE-2021-33045(link is external) Vendor
Dahua Product Various products Vulnerability Type Authentication Bypass CWE
CWE-287: Improper Authentication(link is external) CVE CVE-2022-3236(link is
external) Vendor Sophos Product Firewall Vulnerability Type Code Injection CWE
CWE-94: Improper Control of Generation of Code ('Code Injection')(link is
external) CVE CVE-2022-26134(link is external) Vendor Atlassian Product
Confluence Server and Data Center Vulnerability Type RCE CWE CWE-917: Improper
Neutralization of Special Elements used in an Expression Language Statement
('Expression Language Injection')(link is external) CVE CVE-2022-41040(link is
external) Vendor Microsoft Product Exchange Server Vulnerability Type
Server-Side Request Forgery CWE CWE-918: Server-Side Request Forgery (SSRF)(link
is external) CVE CVE-2023-38831(link is external) Vendor RARLAB Product WinRAR
Vulnerability Type Code Execution CWE
CWE-345: Insufficient Verification of Data Authenticity(link is external)
CWE-351: Insufficient Type Distinction(link is external)
CVE CVE-2019-18935(link is external) Vendor Progress Telerik Product Progress
Telerik UI for ASP.NET AJAX Vulnerability Type Deserialization of Untrusted Data
CWE CWE-502: Deserialization of Untrusted Data(link is external) CVE
CVE-2021-34473(link is external) Vendor Microsoft Product Microsoft Exchange
Server Vulnerability Type RCE CWE CWE-918: Server-Side Request Forgery
(SSRF)(link is external)
MITIGATIONS
VENDORS AND DEVELOPERS
The authoring agencies recommend vendors and developers take the following steps
to help ensure their products are secure by design and default:
* Identify repeatedly exploited classes of vulnerability.
* Perform an analysis of both CVEs and known exploited vulnerabilities (KEVs)
to understand which classes of vulnerability are identified more than
others.
* Implement appropriate mitigations to eliminate those classes of
vulnerability.
* If a product has several instances of SQL injection vulnerabilities, ensure
all database queries in the product use parameterized queries and prohibit
other forms of queries.
* Ensure business leaders are responsible for security.
* Business leaders should ensure their teams take proactive steps to
eliminate entire classes of security vulnerabilities, rather than only
making one-off patches when new vulnerabilities are discovered.
* Follow SP 800-218 SSDF and implement secure by design practices into each
stage of the SDLC; in particular, aim to perform the following SSDF
recommendations:
* Prioritize the use of memory safe languages wherever possible [SSDF PW
6.1].
* Exercise due diligence when selecting software components (e.g., software
libraries, modules, middleware, frameworks) to ensure robust security in
consumer software products [SSDF PW 4.1].
* Set up secure software development team practices—this includes conducting
peer code reviews, working to a common organization secure coding standard,
and maintaining awareness of language-specific security concerns [SSDF
PW.5.1, PW.7.1, PW.7.2].
* Establish a vulnerability disclosure program(link is external) to verify
and resolve security vulnerabilities disclosed by people who may be
internal or external to the organization [SSDF RV.1.3] and establish
processes to determine root causes of discovered vulnerabilities.
* Use static and dynamic application security testing (SAST/DAST) tools to
analyze product source code and application behavior to detect error-prone
practices [SSDF PW.7.2, PW.8.2].
* Configure production-ready products to have the most secure settings by
default and provide guidance on the risks of changing each setting [SSDF
PW.9.1, PW9.2].
* Prioritize secure by default configurations such as eliminating default
passwords, implementing single sign on (SSO) technology via modern open
standards, and providing high-quality audit logs to customers with no
additional configuration necessary and at no extra charge.
* Ensure published CVEs include the proper CWE field identifying the root cause
of the vulnerability to enable industry-wide analysis of software security
and design flaws.
For more information on designing secure by design and default products,
including additional recommended secure by default configurations, see CISA’s
joint guide Shifting the Balance of Cybersecurity Risk: Principles and
Approaches for Security by Design and Default.
END-USER ORGANIZATIONS
The authoring agencies recommend end-user organizations implement the
mitigations below to improve their cybersecurity posture based on threat actors’
activity. These mitigations align with the cross-sector Cybersecurity
Performance Goals (CPGs) developed by CISA and the National Institute of
Standards and Technology (NIST). The CPGs provide a minimum set of practices and
protections that CISA and NIST recommend all organizations implement. CISA and
NIST based the CPGs on existing cybersecurity frameworks and guidance to protect
against the most common and impactful threats, tactics, techniques, and
procedures. Visit CISA’s CPGs webpage for more information on CPGs, including
additional recommended baseline protections.
VULNERABILITY AND CONFIGURATION MANAGEMENT
* Update software, operating systems, applications, and firmware on IT network
assets in a timely manner [CPG 1.E].
* Prioritize patching KEVs, especially those CVEs identified in this
advisory, then critical and high vulnerabilities that allow for remote code
execution or denial-of-service on internet-facing equipment.
* For patch information on CVEs identified in this advisory, refer to the
Appendix: Patch Information and Additional Resources for Top Exploited
Vulnerabilities.
* If a patch for a KEV or critical vulnerability cannot be quickly applied,
implement vendor-approved workarounds.
* Replace end-of-life software (i.e., software no longer supported by the
vendor).
* Routinely perform automated asset discovery across the entire estate to
identify and catalogue all the systems, services, hardware, and software.
* Implement a robust patch management process and centralized patch management
system that establishes prioritization of patch applications [CPG 1.A].
* Organizations that are unable to perform rapid scanning and patching of
internet-facing systems should consider moving these services to mature,
reputable cloud service providers (CSPs) or other managed service providers
(MSPs).
* Reputable MSPs can patch applications (such as webmail, file storage, file
sharing, chat, and other employee collaboration tools) for their customers.
Note: MSPs and CSPs can expand their customer’s attack surface and may
introduce unanticipated risks, so organizations should proactively
collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For
more information and guidance, see the following resources:
* CISA Insights’ Risk Considerations for MSP Customers.
* CISA Insights’ Mitigations and Hardening Guidance for MSPs and Small- and
Mid-sized Businesses.
* ACSC’s How to Manage Your Security When Engaging a MSP(link is external).
* Document secure baseline configurations for all IT/OT components, including
cloud infrastructure.
* Monitor, examine, and document any deviations from the initial secure
baseline [CPG 2.O].
* Perform regular secure system backups and create known good copies of all
device configurations for repairs and/or restoration.
* Store copies off-network in physically secure locations and test regularly
[CPG 2.R].
* Maintain an updated cybersecurity incident response plan that is tested at
least annually and updated within a risk informed time frame to ensure its
effectiveness [CPG 2.S].
IDENTITY AND ACCESS MANAGEMENT
* Enforce phishing-resistant multifactor authentication (MFA) for all users
without exception [CPG 2.H].
* Enforce MFA on all VPN connections.
* If MFA is unavailable, require employees engaging in remote work to use
strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].
* Regularly review, validate, or remove unprivileged accounts (annually at a
minimum) [CPG 2.D, 2.E].
* Configure access control under the principle of least privilege [CPG 2.O].
* Ensure software service accounts only provide necessary permissions (least
privilege) to perform intended functions (using non-administrative
privileges where feasible).
Note: See CISA’s Capacity Enhancement Guide – Implementing Strong
Authentication and ACSC’s guidance on Implementing MFA(link is external)
for more information on authentication system hardening.
PROTECTIVE CONTROLS AND ARCHITECTURE
* Properly configure and secure internet-facing network devices, disable unused
or unnecessary network ports and protocols, encrypt network traffic, and
disable unused network services and devices [CPG 2.V, 2.W, 2.X].
* Harden commonly exploited enterprise network services, including Link-Local
Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP),
Common Internet File System (CIFS), Active Directory, and OpenLDAP.
* Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to
minimize Golden Ticket attacks and Kerberoasting.
* Strictly control the use of native scripting applications, such as
command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI),
and Distributed Component Object Model (DCOM).
* Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral
movement by controlling access to applications, devices, and databases. Use
private virtual local area networks [CPG 2.F, 2.X].
Note: See CISA’s Zero Trust Maturity Model and the Department of Defense’s
Zero Trust Reference Architecture for additional information on Zero Trust.
* Continuously monitor the attack surface and investigate abnormal activity
that may indicate cyber actor or malware lateral movement [CPG 2.T].
* Use security tools, such as endpoint detection and response (EDR) and
security information and event management (SIEM) tools.
* Consider using an information technology asset management (ITAM) solution to
ensure EDR, SIEM, vulnerability scanners, and other similar tools are
reporting the same number of assets [CPG 2.T, 2.V].
* Use web application firewalls to monitor and filter web traffic.
* These tools are commercially available via hardware, software, and
cloud-based solutions, and may detect and mitigate exploitation attempts
where a cyber actor sends a malicious web request to an unpatched device [CPG
2.B, 2.F].
* Implement an administrative policy and/or automated process configured to
monitor unwanted hardware, software, or programs against an allowlist with
specified, approved versions [CPG 2.Q].
SUPPLY CHAIN SECURITY
* Reduce third-party applications and unique system/application builds—provide
exceptions only if required to support business critical functions [CPG 2.Q].
* Ensure contracts require vendors and/or third-party service providers to:
* Provide notification of security incidents and vulnerabilities within a risk
informed time frame [CPG 1.G, 1.H, 1.I].
* Supply a Software Bill of Materials (SBOM) with all products to enhance
vulnerability monitoring and to help reduce time to respond to identified
vulnerabilities [CPG 4.B].
* Ask your software providers to discuss their secure by design program,
provide links to information about how they are working to remove classes of
vulnerabilities, and to set secure default settings.
RESOURCES
* For information on the top vulnerabilities routinely exploited in 2016–2019,
2020, 2021, and 2022:
* Joint CSA Top 10 Routinely Exploited Vulnerabilities.
* Joint CSA Top Routinely Exploited Vulnerabilities.
* Joint CSA 2021 Top Routinely Exploited Vulnerabilities.
* Joint CSA 2022 Top Routinely Exploited Vulnerabilities.
* See the Appendix for additional partner resources on the vulnerabilities
mentioned in this advisory.
* See ACSC’s Essential Eight Maturity Model(link is external) for additional
mitigations.
* See ACSC’s Cyber Supply Chain Risk Management(link is external) for
additional considerations and advice.
REFERENCES
* Apache Log4j Vulnerability Guidance
REPORTING
U.S. organizations: All organizations should report incidents and anomalous
activity to CISA 24/7 Operations Center at report@cisa.gov(link sends email) or
(888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s
CyWatch at (855) 292-3937 or CyWatch@fbi.gov(link sends email). When available,
please include the following information regarding the incident: date, time, and
location of the incident; type of activity; number of people affected; type of
equipment used for the activity; the name of the submitting company or
organization; and a designated point of contact. For NSA client requirements or
general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov(link
sends email).
Australian organizations: Visit cyber.gov.au(link is external) or call 1300 292
371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and
advisories.
Canadian organizations: Report incidents by emailing CCCS at
contact@cyber.gc.ca(link sends email).
New Zealand organizations: Report cyber security incidents to
incidents@ncsc.govt.nz(link sends email) or call 04 498 7654.
United Kingdom organizations: Report a significant cyber security incident at
gov.uk/report-cyber(link is external) (monitored 24 hours).
DISCLAIMER
The information in this report is being provided “as is” for informational
purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not
endorse any commercial product or service, including any subjects of analysis.
Any reference to specific commercial products, processes, or services by service
mark, trademark, manufacturer, or otherwise, does not constitute or imply
endorsement, recommendation, or favoring.
VERSION HISTORY
November 12, 2024: Initial version.
Appendix: Patch Information and Additional Resources for Top Exploited
Vulnerabilities
CVE Vendor Affected Products and Versions Patch Information Resources CVE
CVE-2023-3519(link is external) Vendor Citrix Affected Products and Versions
NetScaler ADC and NetScaler Gateway:
13.1 before 13.1-49.13
13.0 before 13.0-91.13
NetScaler ADC:
13.1-FIPS before 13.1-37.159
12.1-FIPS before 12.1-55.297
12.1-NDcPP before 12.1-55.297
Patch Information Citrix ADC and Citrix Gateway Security Bulletin for
CVE-2023-3519, CVE-2023-3466, CVE-2023-3467(link is external) Resources
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
Critical Security Update for NetScaler ADC and NetScaler Gateway(link is
external)
CVE CVE-2023-4966(link is external) Vendor Citrix Affected Products and Versions
NetScaler ADC and NetScaler Gateway:
14.1 before 14.1-8.50
13.1 before 13.1-49.15
13.0 before 13.0-92.19
NetScaler ADC:
13.1-FIPS before 13.1-37.164
12.1-FIPS before 12.1-55.300
12.1-NDcPP before 12.1-55.300
Patch Information NetScaler ADC and NetScaler Gateway Security Bulletin for
CVE-2023-4966 and CVE-2023-4967(link is external) Resources
#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix
Bleed Vulnerability
Critical Security Update for NetScaler ADC and NetScaler Gateway(link is
external)
CVE CVE-2023-20198(link is external) Vendor Cisco Affected Products and Versions
Any Cisco IOS XE Software with web UI feature enabled Patch Information Multiple
Vulnerabilities in Cisco IOS XE Software Web UI Feature(link is external)
Resources Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities CVE
CVE-2023-27997(link is external) Vendor Fortinet Affected Products and Versions
FortiOS-6K7K versions:
7.0.10, 7.0.5, 6.4.12
6.4.10, 6.4.8, 6.4.6, 6.4.2
6.2.9 through 6.2.13
6.2.6 through 6.2.7
6.2.4
6.0.12 through 6.0.16
6.0.10
Patch Information Heap buffer overflow in sslvpn pre-authentication(link is
external) Resources CVE CVE-2023-34362(link is external) Vendor Progress
Affected Products and Versions
MOVEit Transfer:
2023.0.0 (15.0)
2022.1.x (14.1)
2022.0.x (14.0)
2021.1.x (13.1)
2021.0.x (13.0)
2020.1.x (12.1)
2020.0.x (12.0) or older MOVEit Cloud
Patch Information MOVEit Transfer Critical Vulnerability(link is external)
Resources #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit
Vulnerability CVE CVE-2023-22515(link is external) Vendor Atlassian Affected
Products and Versions
8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4
8.1.0, 8.1.1, 8.1.3, 8.1.4
8.2.0, 8.2.1, 8.2.2, 8.2.38.3.0, 8.3.1, 8.3.2
8.4.0, 8.4.1, 8.4.28.5.0, 8.5.1
Patch Information Broken Access Control Vulnerability in Confluence Data Center
and Server(link is external) Resources Threat Actors Exploit Atlassian
Confluence CVE-2023-22515 for Initial Access to Networks CVE
CVE-2021- 44228(link is external)
(Log4Shell)
Vendor Apache Affected Products and Versions
Log4j, all versions from 2.0-beta9 to 2.14.1
For other affected vendors and products, see CISA's GitHub repository.
Patch Information
Apache Log4j Security Vulnerabilities
For additional information, see joint advisory: Mitigating Log4Shell and Other
Log4j-Related Vulnerabilities
Resources Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon
Systems CVE CVE-2023-2868(link is external) Vendor Barracuda Networks Affected
Products and Versions 5.1.3.001 through 9.2.0.006 Patch Information Barracuda
Email Security Gateway Appliance (ESG) Vulnerability(link is external) Resources
CVE CVE-2022-47966(link is external) Vendor Zoho Affected Products and
Versions Multiple products, multiple versions. (For more details, see Security
advisory for remote code execution vulnerability in multiple ManageEngine
products(link is external)) Patch Information Security advisory for remote code
execution vulnerability in multiple ManageEngine products(link is external)
Resources CVE CVE-2023-27350(link is external) Vendor PaperCut Affected
Products and Versions
PaperCut MF or NG version 8.0 or later (excluding patched versions) on all OS
platforms. This includes:
version 8.0.0 to 19.2.7 (inclusive)
version 20.0.0 to 20.1.6 (inclusive)
version 21.0.0 to 21.2.10 (inclusive)
version 22.0.0 to 22.0.8 (inclusive)
Patch Information URGENT MF/NG vulnerability bulletin(link is external) (March
2023) Resources Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
CVE CVE-2020-1472(link is external) Vendor Microsoft Affected Products and
Versions Netlogon Patch Information Netlogon Elevation of Privilege
Vulnerability(link is external) Resources Russian Military Cyber Actors Target
U.S. and Global Critical Infrastructure CVE CVE-2023-23397(link is external)
Vendor Microsoft Affected Products and Versions Outlook Patch Information
Microsoft Outlook Elevation of Privilege Vulnerability(link is external)
Resources Russian Cyber Actors Use Compromised Routers to Facilitate Cyber
Operations CVE CVE-2023-49103(link is external) Vendor ownCloud Affected
Products and Versions graphapi Patch Information Disclosure of Sensitive
Credentials and Configuration in Containerized Deployments(link is external)
Resources CVE CVE-2023-20273(link is external) Vendor Cisco Affected Products
and Versions Cisco IOS XE Software with web UI feature enabled Patch Information
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature(link is
external) Resources Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities
CVE CVE-2023-42793(link is external) Vendor JetBrains Affected Products and
Versions In JetBrains TeamCity before 2023.05.4 Patch Information CVE-2023-42793
Vulnerability in TeamCity: Post-Mortem(link is external) Resources Russian
Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
CVE CVE-2023-22518(link is external) Vendor Atlassian Affected Products and
Versions All versions of Confluence Data Cetner and Confluence Server Patch
Information Improper Authorization in Confluence Data Center and Server(link is
external) Resources CVE CVE-2023-29492(link is external) Vendor — Affected
Products and Versions — Patch Information — Resources CVE CVE-2021-27860(link
is external) Vendor FatPipe Affected Products and Versions
WARP, MPVPN, IPVPN
10.1.2 and 10.2.2
Patch Information FatPipe CVE List(link is external) Resources CVE
CVE-2021-40539(link is external) Vendor Zoho Affected Products and Versions
ManageEngine ADSelfService Plus builds up to 6113 Patch Information Security
advisory - ADSelfService Plus authentication bypass vulnerability(link is
external) Resources
ACSC Alert:
Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber
actors(link is external)
CVE CVE-2023-0669(link is external) Vendor Fortra Affected Products and Versions
GoAnywhere versions 2.3 through 7.1.2 Patch Information Fortra deserialization
RCE(link is external) Resources #StopRansomware: CL0P Ransomware Gang Exploits
CVE-2023-34362 MOVEit Vulnerability CVE CVE-2021-22986(link is external) Vendor
F5 Affected Products and Versions
BIG-IP versions:
16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x
before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3
and 7.0.0.x before 7.0.0.2
Patch Information K03009991: iControl REST unauthenticated remote command
execution vulnerability CVE-2021-22986(link is external) Resources CVE
CVE-2019-0708(link is external) Vendor Microsoft Affected Products and Versions
Remote Desktop Services Patch Information Remote Desktop Services Remote Code
Execution Vulnerability(link is external) Resources CVE CVE-2018-13379(link is
external) Vendor Fortinet Affected Products and Versions FortiOS and FortiProxy
2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1,
1.2.0, 1.1.6 Patch Information FortiProxy - system file leak through SSL VPN
special crafted HTTP resource requests(link is external) Resources CVE
CVE-2023-35078(link is external) Vendor Ivanti Affected Products and Versions
All supported versions of Endpoint Manager Mobile (EPMM), including:
Version 11.4 releases 11.10, 11.9 and 11.8
Patch Information CVE-2023-35078 - New Ivanti EPMM Vulnerability(link is
external) Resources Threat Actors Exploiting Ivanti EPMM Vulnerabilities CVE
CVE-2023-35081(link is external) Vendor Ivanti Affected Products and Versions
All supported versions of Endpoint Manager Mobile (EPMM), including 11.10, 11.9
and 11.8 Patch Information CVE-2023-35081 - Remote Arbitrary File Write(link is
external) Resources Threat Actors Exploiting Ivanti EPMM Vulnerabilities CVE
CVE-2023-36844(link is external) Vendor Juniper Affected Products and Versions
Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.
Patch Information 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series
and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a
preAuth Remote Code Execution(link is external) Resources CVE
CVE-2023-36845(link is external) Vendor Juniper Affected Products and Versions
Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.
Patch Information 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series
and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a
preAuth Remote Code Execution(link is external) Resources CVE
CVE-2023-36846(link is external) Vendor Juniper Affected Products and Versions
Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.
Patch Information 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series
and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a
preAuth Remote Code Execution(link is external) Resources CVE
CVE-2023-36847(link is external) Vendor Juniper Affected Products and Versions
Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.
Patch Information 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series
and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a
preAuth Remote Code Execution(link is external) Resources CVE
CVE-2023-41064(link is external) Vendor Apple Affected Products and Versions
Versions prior to:
iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS
15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10
Patch Information
About the security content of iOS 16.6.1 and iPadOS 16.6.1(link is external)
About the security content of macOS Ventura 13.5.2(link is external)
About the security content of iOS 15.7.9 and iPadOS 15.7.9(link is external)
About the security content of macOS Monterey 12.6.9(link is external)
About the security content of macOS Big Sur 11.7.10(link is external)
Resources CVE CVE-2023-41061(link is external) Vendor Apple Affected Products
and Versions Versions prior to:
watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1 Patch Information
About the security content of watchOS 9.6.2(link is external)
About the security content of iOS 16.6.1 and iPadOS 16.6.1(link is external)
Resources CVE CVE-2021-22205(link is external) Vendor GitLab Affected Products
and Versions All versions starting from 11.9 Patch Information RCE when removing
metadata with ExifTool(link is external) Resources CVE CVE-2019-11510(link is
external) Vendor Ivanti Affected Products and Versions Pulse Secure Pulse
Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12
Patch Information SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple
vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure
9.0RX(link is external) Resources CVE CVE-2023-6448 (link is external) Vendor
Unitronics Affected Products and Versions
VisiLogic versions before
9.9.00
Patch Information Unitronics Cybersecurity Advisory 2023-001: Default
administrative password(link is external) Resources CVE CVE-2017-6742(link is
external) Vendor Cisco Affected Products and Versions Simple Network Management
Protocol subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS
XE 2.2 through 3.17 Patch Information SNMP Remote Code Execution Vulnerabilities
in Cisco IOS and IOS XE Software(link is external) Resources CVE
CVE-2021-4034(link is external) Vendor Red Hat Affected Products and Versions
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Virtualization 4
Any Red Hat product supported on Red Hat Enterprise Linux (including RHEL
CoreOS) is also potentially impacted.
Patch Information RHSB-2022-001 Polkit Privilege Escalation -
(CVE-2021-4034)(link is external) Resources Joint CSA: Russian Military Cyber
Actors Target U.S. and Global Critical Infrastructure CVE CVE-2021-26084(link is
external) Vendor Atlassian Affected Products and Versions Confluence Server and
Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version
7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. Patch Information
Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084(link
is external) Resources Joint CSA: Russian Military Cyber Actors Target U.S. and
Global Critical Infrastructure CVE CVE-2021-33044(link is external) Vendor Dahua
Affected Products and Versions Various products Patch Information — Resources
Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical
Infrastructure CVE CVE-2021-33045(link is external) Vendor Dahua Affected
Products and Versions Various products Patch Information — Resources Joint CSA:
Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE
CVE-2022-3236(link is external) Vendor Sophos Affected Products and Versions
Sophos Firewall v19.0 MR1 (19.0.1) and older Patch Information Resolved RCE in
Sophos Firewall (CVE-2022-3236)(link is external) Resources Joint CSA: Russian
Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE
CVE-2022-26134 Vendor Atlassian Affected Products and Versions Confluence Server
and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4,
7.18.1 Patch Information Confluence Security Advisory 2022-06-02(link is
external) Resources Joint CSA: Russian Military Cyber Actors Target U.S. and
Global Critical Infrastructure CVE CVE-2022-41040(link is external) Vendor
Microsoft Affected Products and Versions Microsoft Exchange servers Patch
Information Microsoft Exchange Server Elevation of Privilege Vulnerability(link
is external) Resources CVE CVE-2023-38831(link is external) Vendor RARLAB
Affected Products and Versions WinRAR Versions prior to 6.23 Beta 1 Patch
Information WinRAR 6.23 Beta 1 Released(link is external) Resources CVE
CVE-2019-18935(link is external) Vendor Progress Telerik Affected Products and
Versions Telerik.Web.UI.dll versions:
Patch Information Allows JavaScriptSerializer Deserialization(link is
external) Resources Threat Actors Exploit Progress Telerik Vulnerabilities in
Multiple U.S. Government IIS Servers CVE CVE-2021-34473(link is external) Vendor
Microsoft Affected Products and Versions
Exchange Server, Multiple Versions:
Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621)
R2 2017 SP2 (2017.2.711) to R3 2019 (2019.3.917)
R3 2019 SP1 (2019.3.1023)
R1 2020 (2020.1.114) and later
Patch Information Microsoft Exchange Server Remote Code Execution Vulnerability,
CVE-2021-34473(link is external) Resources Iranian Government-Sponsored APT
Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in
Furtherance of Malicious Activities
This product is provided subject to this Notification and this Privacy &
Use policy.
TAGS
Co-Sealers and Partners: Federal Bureau of Investigation, Five Eyes, National
Security Agency
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Budget and Performance
* DHS.gov
* Equal Opportunity & Accessibility
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback