Certified Information Systems Auditor Includes Four Weaknesses in Repository for Federal Organization

AndyC 6 February 2025

The U.S. Cybersecurity and Infrastructure Security Agency has appended four weaknesses to its compilation of Recognized Exploited Vulnerabilities, urging federal entities to promptly act.

CISA Adds Four Vulnerabilities to Catalog for Federal Enterprise

The U.S. Cybersecurity and Infrastructure Security Agency has appended four weaknesses to its compilation of Recognized Exploited Vulnerabilities, urging federal entities to promptly act. While the directive focuses mainly on Federal Civilian Executive Branch organizations, the announcement acts as a stimulus for all establishments to evaluate their security stance and safeguard against emerging digital hazards.

What are the four vulnerabilities?

The four weaknesses are:

  • CVE-2024-45195: A direct request (or ‘Forced Browsing’) weakness found in the Apache OFBiz ERP system. This weakness, which was fixed in September 2024, allows a malicious actor to execute arbitrary code on the server using URLs, scripts, or files.
  • CVE-2024-29059: A .NET Framework Information Disclosure Weakness in the Microsoft .NET Framework versions 3.5 and 4.8. Specifically, it could generate an error message revealing sensitive details like passwords or the complete path of the installed application. The error could arise in various forms, automatically triggered by the source code or by a language interpreter or external component. The weakness was fixed in March 2024.
  • CVE-2018-9276: A flaw in PRTG Network Monitor that permits a malicious actor with administrative privileges on the PRTG System Administrator to exploit an OS command injection vulnerability. This was rectified in 2018.
  • CVE-2018-19410 represents another vulnerability in PRTG Network Monitor. By exploiting this, an attacker can deploy HTTP requests and carry out a Local File Inclusion assault to create users with read-write permissions (including administrator). This was addressed in 2018.

SEE: The U.K. has introduced a pioneering Cyber Code of Practice to assist developers, system operators, and organizations in securely managing AI.

“These kinds of weaknesses are common entry points for malicious digital offenders and pose substantial risks to the federal body,” stated CISA in its alert.

Monitoring recognized exploited vulnerabilities can fortify an entity’s overall security stance. In this instance, the software companies have rectified the vulnerabilities — sometimes years ago — and users are not required to take any action. Furthermore, these vulnerabilities underscore the significance of adhering to and reporting security in vital sectors.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , ,

More Stories

Enhancing security awareness with cyber risk exposure management

Enhancing security awareness with cyber risk exposure management

AndyC 17 December 2025

4.3B LinkedIn-Style Records Found in One of the Largest Data Exposures Ever

AndyC 17 December 2025

Google to Kill Popular Dark Web Report Tool

AndyC 17 December 2025

Coupang CEO Quits After Breach Hits 33.7M South Koreans

AndyC 17 December 2025

Fake ‘Leonardo DiCaprio’ Torrent Spreads Agent Tesla Malware

AndyC 17 December 2025
Cyber Risk Management: Defenders Tell It Like It Is

Cyber Risk Management: Defenders Tell It Like It Is

AndyC 16 December 2025

You may have missed

SonicWall warns of actively exploited flaw in SMA 100 AMC

SonicWall warns of actively exploited flaw in SMA 100 AMC

AndyC 18 December 2025
Why Venture Capital Is Betting Against Traditional SIEMs

Why Venture Capital Is Betting Against Traditional SIEMs

AndyC 18 December 2025
CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited

CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited

AndyC 18 December 2025
Enterprise Spotlight: Setting the 2026 IT agenda

The Hidden Cost of “AI on Every Alert” (And How to Fix It)

AndyC 18 December 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

AndyC 18 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.