The Cybersecurity and Infrastructure Security Agency (CISA) on July 7 added four bugs to its Known Exploited Vulnerabilities (KEV) catalog, pointing out that the vulnerabilities date back to at least 2014.CISA said civilian federal agencies have until July 28 to patch the flaws, and recommended that private sector companies follow suit.What made these four bugs of special note were that two date back to 2019, one to 2016, and the fourth was first identified in 2014, underscoring that security teams have to keep tabs on all bugs and continually monitor and stay up-to-date with patching. Two of the four were rated critical.“Organizations cannot afford to dismiss a vulnerability listed on the KEV solely based on its discovery date,” said Frankie Sclafani, director of cybersecurity enablement at Deepwatch. “The KEV catalog provides a crucial indication that even deeply embedded, older flaws are being actively weaponized. Despite being between five and 10 years old, these four vulnerabilities represent opportunities for a variety of threat actors.”The four vulnerabilities that made the KEV list include the following:
- CVE-2014-3931: MRLG Buffer Overflow (9.8), a buffer overflow in fastping.c in MRLG versions before 5.5.0, potentially leading to arbitrary code execution or system crashes.
- CVE-2016-10033: PHPMailer Command Injection (9.8), this issue lies in unsanitized user input in the mail() function of class.phpmailer.php in versions prior to 5.2.18, which can result in remote code execution.
- CVE-2019-5418: Ruby on Rails Path Traversal (7.5), a file content disclosure vulnerability in Action View, where specially crafted accept headers can expose arbitrary file contents.
- CVE-2019-9621: Zimbra SSRF (7.5), a Server-Side Request Forgery (SSRF) vulnerability in the ProxyServlet component of Zimbra Collaboration Suite, allowing unauthorized access to internal resources and remote code execution.
Hackers looking for old flaws to exploit
As of July 8, there were no known public reports on the first three bugs recently listed being exploited. However, Trend Micro in September 2023 attributed an exploit of CVE-2019-9621 by Earth Lusca, a China-linked threat actor known to drop web shells and Cobalt Strike.Kevin Surace, chair at Token, speculated that CISA likely has some indication that North Korea or Russia is considering exploiting these again based on intelligence gathering. “Intelligence suggests a known hacker group is preparing to broadly exploit these flaws,” said Surace. “I would listen and patch now. As always, many organizations pay serious attention to patching and others don’t, often due to overload and other priorities. Any known flaw is urgent since they can still be exploited years later. Look at SQl injections, still exploited 25 years after knowing they exist.”Mayuresh Dani, security research manager at the Qualys Threat Research Unit, said the inclusion of these older, but actively exploited, vulnerabilities in the CISA KEV catalog cements the fact that threat actors are adept at finding and abusing unpatched software regardless of their age. Dani said threat actors often select vulnerabilities based on their ability to maximize access, persistence, and impact within a target environment rather than their age.“Organizations should not assume that only new vulnerabilities are being targeted,” said Dani. “What's more, is that all affected products are commonly accessible from the internet or serve as critical infrastructure — such as email servers, web application frameworks, and network diagnostic tools, making them prime targets for automated scanning and exploitation.Dani offered these tips to security teams:- Conduct a thorough inventory to locate all systems running vulnerable software, including legacy and shadow IT assets.
- Dependencies should also be identified as attackers can use PHPMailer in web applications and Rails in other SaaS platforms.
- Limit access to diagnostic tools (like MRLG) and collaboration platforms (like Zimbra) to only trusted networks or users.
- Use network segmentation via firewalls and access control lists to minimize unnecessary exposure of services to the internet.
