The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two safety flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Administration (PLM) to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
The vulnerabilities in query are listed beneath –
- CVE-2017-3066 (CVSS rating: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion within the Apache BlazeDS library that enables for arbitrary code execution. (Fastened in April 2017)
- CVE-2024-20953 (CVSS rating: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that enables a low-privileged attacker with community entry through HTTP to compromise the system. (Fastened in January 2024)
There are at present no public stories referencing the exploitation of the vulnerabilities, though one other flaw impacting Oracle Agile PLM (CVE-2024-21287, CVSS rating: 7.5) got here underneath energetic abuse late final yr.
To mitigate the dangers posed by potential assaults weaponizing these flaws, it is really useful that customers take steps to use the mandatory updates. Federal businesses have time till March 17, 2025, to safe their networks in opposition to the threats.
The event comes as risk intelligence agency GreyNoise revealed energetic exploitation makes an attempt focusing on CVE-2023-20198, a now-patched safety flaw affecting weak Cisco gadgets.
As many as 110 malicious IPs, primarily originating from Bulgaria, Brazil, and Singapore have been linked to the malicious exercise.
“Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the US — the identical interval when Salt Storm, a Chinese language state-sponsored risk group, reportedly breached telecom networks utilizing CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Analysis Staff mentioned.