CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2020-9054

Zyxel Multiple NAS Devices OS Command Injection Vulnerability

Vendor: Zyxel

Product: Multiple Network-Attached Storage (NAS) Devices

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2020-7247

OpenSMTPD Remote Code Execution Vulnerability

Vendor: OpenBSD

Product: OpenSMTPD

Added: 2022-03-25

Due Date: 2022-04-15

Description:

smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-755 CWE-78

CVE-2020-5410

VMware Tanzu Spring Cloud Config Directory Traversal Vulnerability

Vendor: VMware Tanzu

Product: Spring Cloud Configuration (Config) Server

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Spring, by VMware Tanzu, Cloud Config contains a path traversal vulnerability that allows applications to serve arbitrary configuration files.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-23

CVE-2020-25223

Sophos SG UTM Remote Code Execution Vulnerability

Vendor: Sophos

Product: SG UTM

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2020-2506

QNAP Helpdesk Improper Access Control Vulnerability

Vendor: QNAP Systems

Product: Helpdesk

Added: 2022-03-25

Due Date: 2022-04-15

Description:

QNAP Helpdesk contains an improper access control vulnerability which could allow an attacker to gain privileges or to read sensitive information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284

CVE-2020-2021

Ransomware

Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

Vendor: Palo Alto Networks

Product: PAN-OS

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-347

CVE-2020-1956

Apache Kylin OS Command Injection Vulnerability

Vendor: Apache

Product: Kylin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2020-1631

Juniper Junos OS Path Traversal Vulnerability

Vendor: Juniper

Product: Junos OS

Added: 2022-03-25

Due Date: 2022-04-15

Description:

A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22 CWE-73

CVE-2019-6340

Drupal Core Remote Code Execution Vulnerability

Vendor: Drupal

Product: Core

Added: 2022-03-25

Due Date: 2022-04-15

Description:

In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-502

CVE-2019-2616

Oracle BI Publisher Unauthorized Access Vulnerability

Vendor: Oracle

Product: BI Publisher (Formerly XML Publisher)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability that allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for authentication bypass.

Required Action:

Apply updates per vendor instructions.

CVE-2019-16920

D-Link Multiple Routers Command Injection Vulnerability

Vendor: D-Link

Product: Multiple Routers

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-78

CVE-2019-15107

Webmin Command Injection Vulnerability

Vendor: Webmin

Product: Webmin

Added: 2022-03-25

Due Date: 2022-04-15

Description:

An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2019-12991

Citrix SD-WAN and NetScaler Command Injection Vulnerability

Vendor: Citrix

Product: SD-WAN and NetScaler

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2019-12989

Citrix SD-WAN and NetScaler SQL Injection Vulnerability

Vendor: Citrix

Product: SD-WAN and NetScaler

Added: 2022-03-25

Due Date: 2022-04-15

Description:

Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-89

CVE-2019-11043

Ransomware

PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

Vendor: PHP

Product: FastCGI Process Manager (FPM)

Added: 2022-03-25

Due Date: 2022-04-15

Description:

In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-120