CISA Adds Microsoft and Rejetto Flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These include a critical template injection flaw in the Rejetto HTTP File Server (CVE-2024-23692), a privilege escalation issue in Windows Hyper-V (CVE-2024-38080), and a spoofing vulnerability in the Windows MSHTML platform (CVE-2024-38112). The Rejetto flaw, with a CVSS score of 9.8, allows remote, unauthenticated attackers to execute arbitrary commands, posing a severe threat to affected systems.

Federal agencies are required to address these vulnerabilities by July 30, 2024, under Binding Operational Directive (BOD) 22-01. CISA also urges private organizations to review and mitigate these vulnerabilities to protect their infrastructure from potential exploits. Last week, CISA added a Cisco NX-OS Command Injection Vulnerability (CVE-2024-20399) to the KEV catalog, highlighting the ongoing need for vigilance in cybersecurity practices.