The United States Cybersecurity and Infrastructure Security Agency (CISA) has announced that it has added ten new active vulnerabilities to the "Known Exploited Vulnerabilities (KEV) Catalog,"; most of which appear to be affecting industrial automation software from Delta Electronics.
This particular issue, which is identified as CVE-2021-38406 (CVSS score: 7.8), heavily impacts DOPSoft 2 versions 2.00.07 and prior versions, which could result in arbitrary code execution. Furthermore, what's worth noting is that its vulnerability was flagged initially in September 2021.
In a statement, the CISA explains, "Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution."
Along with that original point, the CISA says that the "impacted product is end-of-life and should be disconnected if still in use." All US Federal Civilian Executive Branch (FCEB) agencies are now formally required to follow this new guideline by September 15, 2022.
Here is a list of the additional vulnerabilities that the CISA has flagged:
CVE-2022-26352 - dotCMS Unrestricted Upload of File Vulnerability
CVE-2022-24706 - Apache CouchDB Insecure Default Initialization of Resource Vulnerability
CVE-2022-24112 - Apache APISIX Authentication Bypass Vulnerability
CVE-2022-22963 - VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
CVE-2022-2294 - WebRTC Heap Buffer Overflow Vulnerability
CVE-2021-39226 - Grafana Authentication Bypass Vulnerability
CVE-2020-36193 - PEAR Archive_Tar Improper Link Resolution Vulnerability
CVE-2020-28949 - PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
iOS and macOS flaws added to the list
Hungry for more? Join me each week, where I'll break down complex topics and dissect the latest news within the cybersecurity industry and blockchain ecosystem, simplifying the tech world.