The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Catalog of Known Exploited Vulnerabilities (KEV) by adding two security vulnerabilities that are being actively exploited.
Below are the vulnerabilities listed:
- CVE-2012-4792 (CVSS score: 9.3) – Vulnerability in Microsoft Internet Explorer causing Use-After-Free
- CVE-2024-39891 (CVSS score: 5.3) – Weakness in Twilio Authy leading to Information Disclosure
CVE-2012-4792 is an old use-after-free flaw in Internet Explorer that can enable a remote attacker to execute unauthorized code via a specifically crafted website.
It is currently uncertain whether this flaw has been targeted in recent exploitation attempts, although it was misused in watering hole attacks on the Council on Foreign Relations (CFR) and Capstone Turbine Corporation websites around December 2012.
On the contrary, CVE-2024-39891 denotes a vulnerability in an unauthenticated endpoint within Twilio Authy that could be manipulated to “accept a request containing a phone number and then respond with information about the registration status of the phone number with Authy.”
Recently, Twilio mentioned that the issue has been fixed in versions 25.1.0 (Android) and 26.1.0 (iOS) after unidentified threat actors exploited the weakness to access data associated with Authy accounts.
“These kinds of vulnerabilities are common entry points for malicious cyber attackers and pose substantial threats to the federal enterprise,” as stated by CISA in a notice.
Federal Civilian Executive Branch (FCEB) agencies are obligated to address the identified weaknesses by August 13, 2024, to safeguard their networks against active cyber threats.
About Author
