Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-20118 (CVSS score: 6.5) - A command injection
Analysis Summary
# Vulnerability: Five Flaws Added to CISA KEV Catalog with Active Exploitation
## CVE Details
- CVE ID: CVE-2023-20118
- CVSS Score: 6.5 (Medium)
- CWE: Command Injection
- CVE ID: CVE-2022-43939
- CVSS Score: 8.6 (High)
- CWE: Authorization Bypass/Improper Access Control (implied via authorization decisions)
- CVE ID: CVE-2022-43769
- CVSS Score: 8.8 (High)
- CWE: Special Element Injection
- CVE ID: CVE-2018-8639
- CVSS Score: 7.8 (High)
- CWE: Improper Resource Shutdown or Release (Use-After-Free likely)
- CVE ID: CVE-2024-4885
- CVSS Score: 9.8 (Critical)
- CWE: Path Traversal
## Affected Systems
- **CVE-2023-20118:** Cisco Small Business RV Series routers (Specific versions not provided, but exploitation noted on unpatched EOL devices).
- **CVE-2022-43939 & CVE-2022-43769:** Hitachi Vantara Pentaho BA Server.
- **CVE-2018-8639:** Microsoft Windows Win32k.
- **CVE-2024-4885:** Progress WhatsUp Gold.
- **Versions:**
- **CVE-2022-43939 & CVE-2022-43769:** Versions before 9.3.0.2 and 9.4.0.1.
- **CVE-2018-8639:** Versions prior to the December 2018 patch release.
- **CVE-2024-4885:** Versions before 2023.1.3.
- **Configurations:**
- **CVE-2023-20118:** Requires an authenticated user accessing the web-based management interface. Devices are noted as unpatched because they have reached end-of-life status.
## Vulnerability Description
- **CVE-2023-20118 (Cisco):** A command injection vulnerability exists in the web-based management interface of Cisco Small Business RV Series routers. Successful exploitation allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data.
- **CVE-2022-43939 (Hitachi Vantara):** An authorization bypass vulnerability in Pentaho BA Server stemming from incorrect handling of non-canonical URL paths during authorization decisions.
- **CVE-2022-43769 (Hitachi Vantara):** A special element injection vulnerability in Pentaho BA Server allowing an attacker to inject Spring templates into properties files, leading to arbitrary command execution.
- **CVE-2018-8639 (Microsoft):** An improper resource shutdown or release issue in Microsoft Windows Win32k, enabling a local, authenticated attacker to escalate privileges and run arbitrary code in kernel mode.
- **CVE-2024-4885 (Progress):** A path traversal vulnerability in Progress WhatsUp Gold that permits an unauthenticated attacker to achieve remote code execution (RCE).
## Exploitation
- **Status (General):** All five vulnerabilities have been added to CISA's KEV catalog, indicating evidence of active exploitation.
- **CVE-2023-20118:** Actively abused to rope susceptible routers into the PolarEdge botnet (reported last week).
- **CVE-2024-4885:** Exploitation attempts observed as of August 1, 2024.
- **Complexity:** Varies (CVE-2024-4885 is easy as it's unauthenticated RCE).
- **Attack Vector:**
- Remote (Network) for CVE-2023-20118 (authenticated) and CVE-2024-4885 (unauthenticated RCE).
- Local for CVE-2018-8639 (authenticated).
## Impact
- **CVE-2023-20118:** Confidentiality (Unauthorized Data Access), Integrity (Root-level privileges).
- **CVE-2022-43939:** Integrity/Availability (Authorization bypass).
- **CVE-2022-43769:** Integrity/Confidentiality (Arbitrary Command Execution).
- **CVE-2018-8639:** Integrity/Confidentiality (Kernel-mode code execution, privilege escalation).
- **CVE-2024-4885:** Confidentiality/Integrity/Availability (Remote Code Execution).
## Remediation
### Patches
- **CVE-2023-20118:** No patch available as the affected Cisco RV Series routers have reached end-of-life status. **(Requires replacement or isolation, see Workarounds)**.
- **CVE-2022-43939 & CVE-2022-43769:** Fixed in Hitachi Vantara Pentaho BA Server versions **9.3.0.2** and **9.4.0.1** (Fixed in August 2024).
- **CVE-2018-8639:** Patched by Microsoft in **December 2018**. Users should apply relevant Windows updates released since then.
- **CVE-2024-4885:** Fixed in Progress WhatsUp Gold version **2023.1.3** (Fixed in June 2024).
### Workarounds
- **CVE-2023-20118 (Cisco EoL):** Due to end-of-life status, organizations must secure or replace these routers. Isolation or enhanced monitoring is critical.
## Detection
- **Indicators of Compromise (IoCs):**
- Exploitation attempts targeting CVE-2024-4885 were observed by Shadowserver Foundation.
- Threat actors are abusing CVE-2023-20118 to onboard routers into the PolarEdge botnet.
- **Detection Methods and Tools:**
- Monitor network traffic associated with Progress WhatsUp Gold for unusual path traversal sequences (for CVE-2024-4885).
- Monitor Cisco Small Business RV devices for evidence of unauthorized configuration changes or reverse shells indicative of root access (for CVE-2023-20118).
## References
- Vendor Advisory (Generic Reference mentioning CISA KEV update): hxxps://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exploited-vulnerabilities-catalog
- CVE-2023-20118 Advisory: hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5
- CVE-2022-43939/43769 Advisory: hxxps://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939
- CVE-2018-8639 Advisory: hxxps://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2018-8639
- CVE-2024-4885 Advisory: hxxps://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024