The US cybersecurity company CISA on Wednesday warned {that a} latest important AMI BMC vulnerability and a FortiOS bug patched over half a decade in the past have been exploited within the wild.
Tracked as CVE-2024-54085 (CVSS rating of 10/10), the AMI BMC flaw is an authentication bypass problem confirmed to influence HPE, Asus, Asrock, and Lenovo merchandise.
Impacting the Redfish administration interface, the safety defect might permit attackers to take management of the goal machine, deploy malware, modify its firmware, and even harm the motherboard.
AMI launched patches for the CVE in March, when a number of OEMs printed advisories to verify influence. On Wednesday, CISA added it to its Recognized Exploited Vulnerabilities (KEV) catalog, warning of its in-the-wild exploitation.
Per Binding Operational Directive (BOD) 22-01, federal companies have till July 17 to establish weak merchandise inside their environments and apply the out there patches.
There don’t look like any public studies describing assaults involving the exploitation of CVE-2024-54085. A Shodan search performed on the time of its disclosure confirmed that greater than 1,000 internet-exposed techniques could have been weak to assaults.
Tracked as CVE-2019-6693 (CVSS rating of 6.5), the FortiOS safety defect exists as a result of a cryptographic key used to encrypt delicate knowledge is hardcoded within the software program.
An attacker with information of the important thing and entry to backup recordsdata might decipher the delicate info, together with passwords, passphrases for personal keys, and the Excessive Availability password.Commercial. Scroll to proceed studying.
The flaw was publicly disclosed in June 2020, together with two related points in FortiManager and FortiAnalyzer.
Fortinet addressed the problem in FortiOS variations 5.6.11 and above, 6.0.7 and above, and 6.2.1 and above, which permit directors to decide on to be prompted for a password for use for the encryption of knowledge in configuration recordsdata.
It’s price noting that there have been no different studies of those vulnerabilities being exploited earlier than CISA added them to its KEV listing, though technical particulars on how the FortiOS flaw may very well be abused for knowledge deciphering have been printed final 12 months.
The cybersecurity company additionally added a safety defect in discontinued D-Hyperlink DIR-859 routers to KEV. Tracked as CVE-2024-0769 (CVSS rating of 9.8) and described as a path traversal problem, the bug has been exploited within the wild for roughly a 12 months.
Associated: Organizations Warned of Vulnerability Exploited In opposition to Discontinued TP-Hyperlink Routers
Associated: Exploitation Lengthy Recognized for Most of CISA’s Newest KEV Additions
Associated: CISA Warns of Ivanti EPM Vulnerability Exploitation
