The Cybersecurity and Infrastructure Security Agency (CISA) has added three more security flaws to its list of bugs exploited in attacks, including a Bitbucket Server RCE and two Microsoft Exchange zero-days.
CISA’s Known Exploited Vulnerabilities (KEV) catalog now includes two Microsoft Exchange zero-days (CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks, according to Microsoft.
While Microsoft hasn’t yet released security updates to address this pair of actively exploited bugs, it shared mitigation measures requiring customers to add an IIS server blocking rule that would block attack attempts.
“Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix,” Microsoft said earlier today.
The third security flaw CISA added to its KEV list today (tracked as CVE-2022-36804) is a critical severity command injection vulnerability in Atlassian’s Bitbucket Server and Data Center, with publicly available proof of concept exploit code.
Attackers can gain remote code execution by exploiting the flaw via malicious HTTP requests. Still, they must have access to a public repository or read permissions to a private one.
This RCE vulnerability impacts all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0.
BinaryEdge and GreyNoise confirmed that attackers have been scanning and attempting to exploit CVE-2022-36804 in the wild [1, 2] since at least September 20th.
We at @SolveCyberRisk @binaryedgeio have been observing active scanning and exploitation of the just announced CVE-2022-36804 – This CVE affects Atlassian Bitbucket, go patch: https://t.co/YYG1qY9uUg pic.twitter.com/Jy12W9ZB3E
— Tiago Henriques (@Balgan) September 23, 2022
Federal agencies ordered to mitigate
All Federal Civilian Executive Branch Agencies (FCEB) agencies apply patches or mitigation measures for these three actively exploited bugs after being added to CISA’s KEV catalog as required by a binding operational directive (BOD 22-01) from November.
The federal agencies were given three weeks, until October 21st, to ensure that exploitation attempts would be blocked.
The U.S. cybersecurity agency also strongly urged all private and public sector organizations worldwide to prioritize patching these vulnerabilities, although BOD 22-01 only applies to U.S. FCEB agencies.
Applying patches ASAP will help them decrease the attack surface potential attackers could target in breach attempts.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” CISA explained on Thursday.
Since the BOD 22-01 binding directive was issued last year, CISA has added more than 800 security flaws to its catalog of bugs exploited in attacks while requiring federal agencies to address them on a tighter schedule.