The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog, adding four critical vulnerabilities affecting Apache OFBiz, Microsoft .NET Framework, and Paessler PRTG Network Monitor.
These vulnerabilities, actively exploited in the wild, pose significant risks, including unauthorized access, remote code execution, and privilege escalation.
Organizations are urged to implement mitigations or discontinue affected products by February 25, 2025.
Forced Browsing Vulnerability (CVE-2024-45195)
Apache OFBiz, an open-source enterprise resource planning (ERP) platform, is impacted by CVE-2024-45195.
This forced browsing vulnerability allows unauthenticated attackers to bypass authorization checks and gain access to sensitive resources.
Exploitation can lead to unauthorized remote code execution on both Linux and Windows servers. The vulnerability stems from insufficient validation of view authorization controls.
Although a patch was released in September 2024 (version 18.12.16), organizations still using older versions are at risk.
Information Disclosure Vulnerability (CVE-2024-29059)
CVE-2024-29059 affects Microsoft’s .NET Framework and involves an information disclosure flaw that exposes the ObjRef URI.
This vulnerability could enable attackers to perform remote code execution by leveraging sensitive information obtained through improperly handled error messages.
Classified under CWE-209, this issue has a CVSS score of 7.5.
While Microsoft released fixes in March 2024, organizations must ensure timely application of patches to mitigate potential exploitation.
Two vulnerabilities in Paessler’s PRTG Network Monitor software have also been added to the KEV catalog:
- CVE-2018-9276: This OS command injection vulnerability allows attackers with administrative access to execute arbitrary commands through the PRTG System Administrator web console. Exploitation could lead to full control over the network monitoring system and associated devices.
- CVE-2018-19410: A local file inclusion vulnerability enables unauthenticated attackers to create users with administrative privileges by exploiting improperly handled HTTP requests. This flaw significantly increases the risk of unauthorized system access.
Both vulnerabilities were patched in 2018; however, systems running outdated versions remain vulnerable.
CISA’s inclusion of these vulnerabilities highlights their active exploitation and the urgency of remediation.
Federal Civilian Executive Branch (FCEB) agencies are required to address these flaws by February 25, 2025, under Binding Operational Directive (BOD) 22-01.
CISA strongly encourages all organizations to prioritize these vulnerabilities as part of their security management practices.
Failure to mitigate these issues could leave systems exposed to significant risks, including data breaches and operational disruptions.
%20catalog,%20adding%20four%20critical%20vulnerabilities.){kind=link}