CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2024-3273

D-Link Multiple NAS Devices Command Injection Vulnerability

Vendor: D-Link

Product: Multiple NAS Devices

Added: 2024-04-11

Due Date: 2024-05-02

Description:

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.

Required Action:

This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

CWEs:

CWE-77

CVE-2024-3272

D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability

Vendor: D-Link

Product: Multiple NAS Devices

Added: 2024-04-11

Due Date: 2024-05-02

Description:

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contains a hard-coded credential that allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution.

Required Action:

This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

CWEs:

CWE-798

CVE-2024-29748

Android Pixel Privilege Escalation Vulnerability

Vendor: Android

Product: Pixel

Added: 2024-04-04

Due Date: 2024-04-25

Description:

Android Pixel contains a privilege escalation vulnerability that allows an attacker to interrupt a factory reset triggered by a device admin app.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-280

CVE-2024-29745

Android Pixel Information Disclosure Vulnerability

Vendor: Android

Product: Pixel

Added: 2024-04-04

Due Date: 2024-04-25

Description:

Android Pixel contains an information disclosure vulnerability in the fastboot firmware used to support unlocking, flashing, and locking affected devices.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-908

CVE-2023-24955

Ransomware

Microsoft SharePoint Server Code Injection Vulnerability

Vendor: Microsoft

Product: SharePoint Server

Added: 2024-03-26

Due Date: 2024-04-16

Description:

Microsoft SharePoint Server contains a code injection vulnerability that allows an authenticated attacker with Site Owner privileges to execute code remotely.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

CVE-2019-7256

Nice Linear eMerge E3-Series OS Command Injection Vulnerability

Vendor: Nice

Product: Linear eMerge E3-Series

Added: 2024-03-25

Due Date: 2024-04-15

Description:

Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution.

Required Action:

Contact the vendor for guidance on remediating firmware, per their advisory.

CWEs:

CWE-78

CVE-2021-44529

Ransomware

Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability

Vendor: Ivanti

Product: Endpoint Manager Cloud Service Appliance (EPM CSA)

Added: 2024-03-25

Due Date: 2024-04-15

Description:

Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

CVE-2023-48788

Ransomware

Fortinet FortiClient EMS SQL Injection Vulnerability

Vendor: Fortinet

Product: FortiClient EMS

Added: 2024-03-25

Due Date: 2024-04-15

Description:

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-89

CVE-2024-27198

Ransomware

JetBrains TeamCity Authentication Bypass Vulnerability

Vendor: JetBrains

Product: TeamCity

Added: 2024-03-07

Due Date: 2024-03-28

Description:

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-288

CVE-2024-23225

Apple Multiple Products Memory Corruption Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2024-03-06

Due Date: 2024-03-27

Description:

Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-787

CVE-2024-23296

Apple Multiple Products Memory Corruption Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2024-03-06

Due Date: 2024-03-27

Description:

Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-787

CVE-2023-21237

Android Pixel Information Disclosure Vulnerability

Vendor: Android

Product: Pixel

Added: 2024-03-05

Due Date: 2024-03-26

Description:

Android Pixel contains a vulnerability in the Framework component, where the UI may be misleading or insufficient, providing a means to hide a foreground service notification. This could enable a local attacker to disclose sensitive information.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-200

CVE-2021-36380

Sunhillo SureLine OS Command Injection Vulnerablity

Vendor: Sunhillo

Product: SureLine

Added: 2024-03-05

Due Date: 2024-03-26

Description:

Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

CVE-2024-21338

Ransomware

Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2024-03-04

Due Date: 2024-03-25

Description:

Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys that allows a local attacker to achieve privilege escalation.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-822

CVE-2023-29360

Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability

Vendor: Microsoft

Product: Streaming Service

Added: 2024-02-29

Due Date: 2024-03-21

Description:

Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-822