The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two safety flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The vulnerabilities in query are listed beneath –
- CVE-2017-3066 (CVSS rating: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion within the Apache BlazeDS library that enables for arbitrary code execution. (Fastened in April 2017)
- CVE-2024-20953 (CVSS rating: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that enables a low-privileged attacker with community entry through HTTP to compromise the system. (Fastened in January 2024)
There are presently no public stories referencing the exploitation of the vulnerabilities, though one other flaw impacting Oracle Agile PLM (CVE-2024-21287, CVSS rating: 7.5) got here beneath lively abuse late final yr.
To mitigate the dangers posed by potential assaults weaponizing these flaws, it is really helpful that customers take steps to use the mandatory updates. Federal businesses have time till March 17, 2025, to safe their networks in opposition to the threats.
The event comes as risk intelligence agency GreyNoise revealed lively exploitation makes an attempt concentrating on CVE-2023-20198, a now-patched safety flaw affecting weak Cisco units.
As many as 110 malicious IPs, primarily originating from Bulgaria, Brazil, and Singapore have been linked to the malicious exercise.
“Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the US — the identical interval when Salt Typhoon, a Chinese language state-sponsored risk group, reportedly breached telecom networks utilizing CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Analysis Group said.
