The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has added new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities affect devices running Android, Windows, and Progress Telerik Report Server, and have been actively targeted by cybercriminals.
Newly Listed Vulnerabilities
The fresh entries include CVE-2024-32896, CVE-2024-26169, and CVE-2024-4358. The CVE-2024-32896 flaw impacts Pixel Firmware, providing a route for attackers to elevate privileges using a zero-day exploit. CVE-2024-26169 compromises the Microsoft Windows Error Reporting Service, allowing adversaries to obtain SYSTEM privileges. CVE-2024-4358 involves an authentication bypass in Telerik Report Server, which permits unauthorized access to restricted features.
Federal Civilian Executive Branch (FCEB) agencies must address these new flaws by July 4, 2024, in line with Binding Operational Directive (BOD) 22-01. The goal is to shield federal networks from potential threats exploiting these vulnerabilities. CISA underscores the need for rapid action to mitigate risks.
CISA urges private organizations to review the KEV catalog and resolve the listed vulnerabilities within their systems. Taking proactive steps to enhance network security is crucial. The agency highlights the necessity of updating systems and applying relevant patches to maintain strong defenses against potential cyber exploits.
The Binding Operational Directive (BOD) 22-01, named “Reducing the Significant Risk of Known Exploited Vulnerabilities,” created the Known Exploited Vulnerabilities Catalog. This directive mandates that FCEB agencies must remediate listed vulnerabilities by specific deadlines to secure their networks from ongoing threats.