The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two safety flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The vulnerabilities in query are listed under –
- CVE-2017-3066 (CVSS rating: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion within the Apache BlazeDS library that enables for arbitrary code execution. (Mounted in April 2017)
- CVE-2024-20953 (CVSS rating: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that enables a low-privileged attacker with community entry by way of HTTP to compromise the system. (Mounted in January 2024)
There are presently no public stories referencing the exploitation of the vulnerabilities, though one other flaw impacting Oracle Agile PLM (CVE-2024-21287, CVSS rating: 7.5) got here underneath lively abuse late final 12 months.
To mitigate the dangers posed by potential assaults weaponizing these flaws, it is really helpful that customers take steps to use the mandatory updates. Federal businesses have time till March 17, 2025, to safe their networks towards the threats.
The event comes as risk intelligence agency GreyNoise revealed lively exploitation makes an attempt concentrating on CVE-2023-20198, a now-patched safety flaw affecting susceptible Cisco units.
As many as 110 malicious IPs, primarily originating from Bulgaria, Brazil, and Singapore have been linked to the malicious exercise.
“Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and america — the identical interval when Salt Hurricane, a Chinese language state-sponsored risk group, reportedly breached telecom networks utilizing CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Analysis Workforce stated.