9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.69 Medium
EPSS
Percentile
97.6%
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence.
The vulnerabilities newly added are below -
CVE-2023-42793 relates to a critical authentication bypass vulnerability that allows for remote code execution on TeamCity Server. Data gathered by GreyNoise has revealed exploitation attempts targeting the flaw from 74 unique IP addresses to date.
On the other hand, CVE-2023-28229 is a high-severity flaw in the Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service that allows an attacker to gain specific limited SYSTEM privileges.
There are currently no public reports documenting in-the-wild exploitation of the bug, and CISA has not disclosed any further details about the attacks or exploitation scenarios. A proof-of-concept (PoC) was made available early last month.
Microsoft, for its part, tagged CVE-2023-28229 with an âExploitation Less Likelyâ assessment. It was patched by the tech giant as part of Patch Tuesday updates released in April 2023.
The cybersecurity agency has also removed five flaws affecting Owl Labs Meeting Owl from the KEV catalog, citing âinsufficient evidence.â
While CVE-2022-31460 was added in June 2022, four other vulnerabilities (CVE-2022-31459, CVE-2022-31461, CVE-2022-31462, and CVE-2022-31463) were added on September 18, 2023.
In light of the active exploitation of the two flaws, Federal Civilian Executive Branch (FCEB) agencies are required to apply the vendor-provided patches by October 25, 2023, to secure their networks against potential threats.
Found this article interesting? Follow us on Twitter ď and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.69 Medium
EPSS
Percentile
97.6%