Pierluigi Paganini December 23, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Acclaim Systems USAHERDS flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Acclaim Systems USAHERDS vulnerability, tracked as CVE-2021-44207 (CVSS score: 8.1) to its Known Exploited Vulnerabilities (KEV) catalog.

USAHERDS, developed by Acclaim Systems, is a web-based application designed to assist U.S. state governments in tracking and managing animal health and disease outbreaks. It is part of the AgraGuard suite of products, which includes USAHERDS, USALIMS, USAPlants, USAFoodSafety, and USAMeals, aimed at supporting agricultural and food safety operations.

The vulnerability was exploited by the Chinese cyber-espionage group APT41 to breach multiple U.S. state government networks.

The flaw stems from the use of hard-coded credentials vulnerability, it impacts Acclaim USAHERDS web application 7.4.0.1 and earlier. An attacker who knows static ValidationKey and DecryptionKey values can exploit them to execute arbitrary code on the system that runs the application.

Attackers can craft malicious ViewState data to bypass MAC checks, and trigger server-side code execution.

“The Acclaim USAHERDS web application 7.4.0.1 and Earlier, builds prior to November 2021, used static ValidationKey and DecryptionKey values.” reads the advisory. “High – Knowledge of the ValidationKey and DecryptionKey can be used to achieve Remote Code Execution on the system that runs the application.”

Security researchers Douglas Bienstock from Mandiant reported the issue to the company. Acclaim Systems addressed this issue by releasing a patch in November 2021 to remediate the vulnerability.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by January 13, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog)