US
CISA
added
actively
exploited
flaws
in
IBM
Aspera
Faspex
and
Mitel
MiVoice
to
its
Known
Exploited
Vulnerabilities
Catalog.
US
CISA
added
the
following
actively
exploited
flaws
to
its Known
Exploited
Vulnerabilities
Catalog:
CVE-2022-47986 (CVSS
score:
9.8)
–
IBM
Aspera
Faspex
Code
Execution
Vulnerability
–
A
remote
attacker
can
trigger
the
vulnerability
to
execute
arbitrary
code
on
the
system.
The
issue
is
caused
by
a
YAML
deserialization
issue.
Researchers
from
Shadowserver
Fondation
confirmed
the
active
exploitation
of
the
vulnerability
in
the
wild.
Researchers
from
security
firm
Assetnote
published
a
proof-of-concept
(PoC)
exploit
code
early
the
month.
CVE-2022-41223 (CVSS
score:
6.8)
–
Mitel
MiVoice
Connect
Code
Injection
Vulnerability
–
An
authenticated
attacker
with
internal
network
access
can
trigger
the
flaw
to
execute
code
within
the
context
of
the
application.
CVE-2022-40765 (CVSS
score:
6.8)
–
The
Mitel
Edge
Gateway
component
of
MiVoice
Connect
allows
an
authenticated
attacker
with
internal
network
access
to
execute
commands
within
the
context
of
the
system.
According
to Binding
Operational
Directive
(BOD)
22-01:
Reducing
the
Significant
Risk
of
Known
Exploited
Vulnerabilities,
FCEB
agencies
have
to
address
the
identified
vulnerabilities
by
the
due
date
to
protect
their
networks
against
attacks
exploiting
the
flaws
in
the
catalog.
Experts
recommend
also
private
organizations
review
the Catalog and
address
the
vulnerabilities
in
their
infrastructure.
CISA
orders
federal
agencies
to
fix
this
flaw
by March
14,
2023.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
KEV
Catalog)