Today, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding three recently discovered and actively exploited security flaws. The newly cataloged vulnerabilities affect widely used business software and network devices, underscoring the persistent threat landscape and the critical importance of rapid patch management for organizations in all sectors, especially those overseeing critical infrastructure.
Details of Newly Added Vulnerabilities
CVE-2023-45727: North Grid’s Proself Series
This vulnerability affects multiple editions of North Grid’s Proself products—including the Enterprise, Standard, Gateway Edition, and Mail Sanitize Edition. The issue centers on insufficient restrictions for XML External Entity (XXE) processing, which allows a remote, unauthenticated attacker to access sensitive files by submitting maliciously crafted XML input. Successful exploitation could result in unauthorized file access, data theft, or manipulation.
CVE-2024-11680: ProjectSend (pre-r1720)
A critical vulnerability exists in ProjectSend, an open-source file management platform. Versions prior to r1720 are susceptible to improper authentication, enabling remote attackers to bypass access controls altogether. Attackers leveraging this vulnerability could gain unauthorized access to system configurations, potentially upload malicious files, or create unauthorized accounts. The flaw is rated with a CVSS score of 9.8, indicating critical severity and raising the risk of full system compromise.
CVE-2024-11667: Zyxel Firewall Products
The third addition affects Zyxel firewall devices, including the ATP series, USG FLEX series, USG FLEX 50(W), and USG20(W)-VPN models running software versions before 5.38. An exploitable path traversal vulnerability in the web management interface could allow attackers to manipulate files arbitrarily, granting them unauthorized access to sensitive data or the opportunity to introduce malware. This poses a significant risk of network compromise.
