The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog.
The most critical of the three is CVE-2022-35914, a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI.
The Shadowserver Foundation noted exploitation attempts against its honeypots in October 2022, and data gathered by GreyNoise has revealed 40 malicious IP addresses attempting to abuse the shortcoming.
The second flaw is an unauthenticated command injection vulnerability in Apache Spark that has been exploited by the Zerobot botnet to co-opt susceptible devices with the goal of carrying out distributed denial-of-service (DDoS) attacks.
Lastly, a remote code execution flaw in Zoho ManageEngine ADSelfService Plus was patched in April 2022, which allowed for remote code execution when performing a password change or reset.
Cybersecurity company Rapid7 detected active exploitation attempts by threat actors to execute arbitrary OS commands in order to gain persistence on the underlying system and attempt to pivot further into the environment.
This development comes as API security firm Wallarm found ongoing exploit attempts of two VMware NSX Manager flaws since December 2022 that could be leveraged to execute malicious code and siphon sensitive data.
The specifics surrounding the nature of attacks are unknown, but a cURL-based one-line proof of concept (PoC) has been made available on GitHub and a “mass” scanner has been advertised for sale.
