The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of their active exploitation. These vulnerabilities, spanning across widely used software products, pose notable risks to organizational cybersecurity. CISA’s ongoing updates to the KEV Catalog emphasize the agency’s commitment to tracking and remediating high-risk vulnerabilities within the federal enterprise and beyond.
New Additions to the Known Exploited Vulnerabilities Catalog
The newly added vulnerabilities include:
- CVE-2021-26086 – Atlassian Jira Server and Data Center Path Traversal Vulnerability
This vulnerability in Atlassian Jira Server and Data Center allows attackers to read restricted files within the system. Exploiting this flaw involves a path traversal attack, which could enable unauthorized file access, leading to information disclosure and possible lateral movement within the compromised network. - CVE-2014-2120 – Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
Found in Cisco’s ASA, this cross-site scripting vulnerability allows attackers to inject malicious scripts into the WebVPN login page, potentially compromising user sessions and manipulating sensitive data. The vulnerability affects specific WebVPN configurations, highlighting a need for close attention to firewall settings and configurations on Cisco ASA devices. - CVE-2021-41277 – Metabase GeoJSON API Local File Inclusion Vulnerability
Metabase’s GeoJSON API includes a local file inclusion vulnerability in the custom map support API for GeoJSON data handling. Attackers exploiting this vulnerability may gain access to sensitive files and data within the host environment. Organizations using Metabase should prioritize applying patches to prevent potential unauthorized access through this API. - CVE-2024-43451 – Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
This vulnerability in Microsoft Windows discloses the NTLMv2 hash, which could be exploited by an attacker to impersonate the compromised user. This hash disclosure can occur during a file open operation, creating a potential entry point for adversaries to access privileged information or systems. - CVE-2024-49039 – Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
In Microsoft Windows, a privilege escalation vulnerability in the Task Scheduler could enable attackers to access functions outside of an AppContainer’s restrictions, allowing elevated privileges and access to sensitive system areas. Privilege escalation vulnerabilities such as this are often used in complex attack chains, underscoring the need for immediate patching.
Understanding the Risks and the Role of the KEV Catalog
These newly listed vulnerabilities demonstrate the wide range of attack methods—path traversal, cross-site scripting, local file inclusion, hash disclosure, and privilege escalation—favored by cyber attackers to breach defenses. When exploited, these vulnerabilities could lead to unauthorized access, data exfiltration, and potentially complete control over compromised systems.
The Known Exploited Vulnerabilities (KEV) Catalog was established by CISA as a central resource through Binding Operational Directive (BOD) 22-01, which aims to reduce the risks posed by actively exploited vulnerabilities. BOD 22-01 requires that all Federal Civilian Executive Branch (FCEB) agencies remediate vulnerabilities listed in the KEV Catalog by their specified due dates. By enforcing these timely remediations, the directive strengthens defenses against active threats targeting federal networks.
Key Requirements and Actions for Organizations
While BOD 22-01 applies specifically to FCEB agencies, CISA strongly encourages all organizations to incorporate the KEV Catalog into their cybersecurity management frameworks. By aligning remediation priorities with the KEV Catalog, organizations can improve their resilience against known vulnerabilities that attackers are actively exploiting. Below is a summary of each new vulnerability’s recommended actions and the associated remediation deadlines:
- CVE-2021-26086 (Atlassian Jira Server and Data Center): Mitigation efforts should follow Atlassian’s guidelines, or usage should be discontinued if patches are unavailable.
- CVE-2014-2120 (Cisco ASA): Organizations are urged to apply Cisco-provided patches or to disable the WebVPN feature if patches cannot be implemented.
- CVE-2021-41277 (Metabase GeoJSON API): Follow Metabase’s official instructions for patching or disabling vulnerable services if no fixes are available.
- CVE-2024-43451 (Microsoft Windows NTLMv2 Hash Disclosure): Microsoft’s guidance should be applied to prevent hash spoofing attacks, and usage should cease in environments where patches are impractical.
- CVE-2024-49039 (Microsoft Windows Task Scheduler Privilege Escalation): Organizations should immediately implement vendor-specific patches or discontinue use until mitigation is possible.
Each vulnerability added to the KEV Catalog is assigned a due date for remediation. For these five vulnerabilities, CISA has set a due date of December 3, 2024.
Practical Steps for Effective Vulnerability Management
To maximize protection, CISA advises that organizations use the KEV Catalog as part of a broader vulnerability management program. This can involve:
- Regularly Check the KEV Catalog: The KEV Catalog is continuously updated to reflect newly identified vulnerabilities. Integrating these updates into organizational cybersecurity protocols ensures that high-risk vulnerabilities are prioritized.
- Adopting a Risk-Based Approach: Prioritizing vulnerabilities based on risk to the organization can improve resource allocation and ensure timely responses to critical threats. The KEV Catalog provides a risk-based framework by highlighting actively exploited vulnerabilities, enabling security teams to focus on what matters most.
- Implementing Timely Patching and Mitigation: Applying patches is often the most straightforward method for neutralizing a vulnerability. However, if a patch is unavailable, alternative mitigations, such as disabling certain features or services, should be implemented to limit exposure.
- Engaging with Vendors for Guidance: In cases where mitigation instructions are complex or when a patch might affect system functionality, collaboration with software vendors is essential for secure deployment and risk reduction.
Conclusion
CISA’s KEV Catalog remains an essential tool for federal agencies and private sector organizations alike. With the addition of these five vulnerabilities, the catalog reinforces its role as an authoritative source for vulnerabilities that have been exploited in real-world cyberattacks.
Organizations are encouraged to act swiftly by remediating these vulnerabilities according to CISA’s recommendations. For organizations across sectors, leveraging resources like the KEV Catalog is critical to staying ahead of attackers and ensuring a strong security posture.
