The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These include a critical template injection flaw in the Rejetto HTTP File Server (CVE-2024-23692), a privilege escalation issue in Windows Hyper-V (CVE-2024-38080), and a spoofing vulnerability in the Windows MSHTML platform (CVE-2024-38112). The Rejetto flaw, with a CVSS score of 9.8, allows remote, unauthenticated attackers to execute arbitrary commands, posing a severe threat to affected systems.
Federal agencies are required to address these vulnerabilities by July 30, 2024, under Binding Operational Directive (BOD) 22-01. CISA also urges private organizations to review and mitigate these vulnerabilities to protect their infrastructure from potential exploits. Last week, CISA added a Cisco NX-OS Command Injection Vulnerability (CVE-2024-20399) to the KEV catalog, highlighting the ongoing need for vigilance in cybersecurity practices.