US CISA added the following actively exploited flaws to its Known Exploited Vulnerabilities Catalog:
The CVE-2022-35914 flaw is a PHP code injection vulnerability that resides in the /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2.
A remote, unauthenticated attacker can exploit this flaw, via a specially crafted message, to execute arbitrary code.
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A proof of concept (PoC) exploit code for this vulnerability was published on GitHub since December 2022.
Most of the attacks observed by cybersecurity firm GreyNoise originated from the U.S. and the Netherlands.
The CVE-2022-33891 flaw is a command injection vulnerability in the Apache Spark. In December 2022, Microsoft Threat Intelligence Center (MSTIC) researchers discovered a new variant of the Zerobot botnet (aka ZeroStresser) that was improved with the capabilities to target more Internet of Things (IoT) devices.
The variant spotted by Microsoft spreads by exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively) and also supports new DDoS attack capabilities.
The third vulnerability added to the catalog, tracked as CVE-2022-28810, is a remote code execution issue in Zoho ManageEngine ADSelfService Plus.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this flaw by March 28, 2023.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)