CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2021-37415

Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability

Vendor: Zoho

Product: ManageEngine ServiceDesk Plus (SDP)

Added: 2021-12-01

Due Date: 2021-12-15

Description:

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-306

CVE-2021-40438

Apache HTTP Server-Side Request Forgery (SSRF)

Vendor: Apache

Product: Apache

Added: 2021-12-01

Due Date: 2021-12-15

Description:

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-918

CVE-2021-44077

Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability

Vendor: Zoho

Product: ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus

Added: 2021-12-01

Due Date: 2021-12-15

Description:

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-306

CVE-2021-22204

ExifTool Remote Code Execution Vulnerability

Vendor: Perl

Product: Exiftool

Added: 2021-11-17

Due Date: 2021-12-01

Description:

Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-95

CVE-2021-40449

Ransomware

Microsoft Windows Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2021-11-17

Due Date: 2021-12-01

Description:

Unspecified vulnerability allows for an authenticated user to escalate privileges.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2021-42321

Ransomware

Microsoft Exchange Server Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Exchange

Added: 2021-11-17

Due Date: 2021-12-01

Description:

An authenticated attacker could leverage improper validation in cmdlet arguments within Microsoft Exchange and perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-184 CWE-502

CVE-2021-42292

Microsoft Excel Security Feature Bypass

Vendor: Microsoft

Product: Office

Added: 2021-11-17

Due Date: 2021-12-01

Description:

A security feature bypass vulnerability in Microsoft Excel would allow a local user to perform arbitrary code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-357

CVE-2021-27104

Ransomware

Accellion FTA OS Command Injection Vulnerability

Vendor: Accellion

Product: FTA

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Accellion FTA contains an OS command injection vulnerability exploited via a crafted POST request to various admin endpoints.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20 CWE-78

CVE-2021-27102

Ransomware

Accellion FTA OS Command Injection Vulnerability

Vendor: Accellion

Product: FTA

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Accellion FTA contains an OS command injection vulnerability exploited via a local web service call.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20 CWE-78

CVE-2021-27101

Ransomware

Accellion FTA SQL Injection Vulnerability

Vendor: Accellion

Product: FTA

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Accellion FTA contains a SQL injection vulnerability exploited via a crafted host header in a request to document_root.html.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-89 CWE-138

CVE-2021-27103

Ransomware

Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability

Vendor: Accellion

Product: FTA

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Accellion FTA contains a server-side request forgery (SSRF) vulnerability exploited via a crafted POST request to wmProgressstat.html.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-918

CVE-2021-21017

Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability

Vendor: Adobe

Product: Acrobat and Reader

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Acrobat Acrobat and Reader contain a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-122

CVE-2021-28550

Adobe Acrobat and Reader Use-After-Free Vulnerability

Vendor: Adobe

Product: Acrobat and Reader

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Adobe Acrobat and Reader contains a use-after-free vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2018-4939

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability

Vendor: Adobe

Product: ColdFusion

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could allow for code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-502

CVE-2018-15961

Adobe ColdFusion Unrestricted File Upload Vulnerability

Vendor: Adobe

Product: ColdFusion

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Adobe ColdFusion contains an unrestricted file upload vulnerability that could allow for code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-434