CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2024-8956

PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

Vendor: PTZOptics

Product: PT30X-SDI/NDI Cameras

Added: 2024-11-04

Due Date: 2024-11-25

Description:

PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-287

CVE-2024-8957

PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability

Vendor: PTZOptics

Product: PT30X-SDI/NDI Cameras

Added: 2024-11-04

Due Date: 2024-11-25

Description:

PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

CVE-2024-37383

RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

Vendor: Roundcube

Product: Webmail

Added: 2024-10-24

Due Date: 2024-11-14

Description:

RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-79

CVE-2024-20481

Cisco ASA and FTD Denial-of-Service Vulnerability

Vendor: Cisco

Product: Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

Added: 2024-10-24

Due Date: 2024-11-14

Description:

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-772

CVE-2024-47575

Fortinet FortiManager Missing Authentication Vulnerability

Vendor: Fortinet

Product: FortiManager

Added: 2024-10-23

Due Date: 2024-11-13

Description:

Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-306

CVE-2024-38094

Ransomware

Microsoft SharePoint Deserialization Vulnerability

Vendor: Microsoft

Product: SharePoint

Added: 2024-10-22

Due Date: 2024-11-12

Description:

Microsoft SharePoint contains a deserialization vulnerability that allows for remote code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-502

CVE-2024-9537

ScienceLogic SL1 Unspecified Vulnerability

Vendor: ScienceLogic

Product: SL1

Added: 2024-10-21

Due Date: 2024-11-11

Description:

ScienceLogic SL1 (formerly EM7) is affected by an unspecified vulnerability involving an unspecified third-party component.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2024-40711

Ransomware

Veeam Backup and Replication Deserialization Vulnerability

Vendor: Veeam

Product: Backup & Replication

Added: 2024-10-17

Due Date: 2024-11-07

Description:

Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-502

CVE-2024-28987

SolarWinds Web Help Desk Hardcoded Credential Vulnerability

Vendor: SolarWinds

Product: Web Help Desk

Added: 2024-10-15

Due Date: 2024-11-05

Description:

SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-798

CVE-2024-9680

Mozilla Firefox Use-After-Free Vulnerability

Vendor: Mozilla

Product: Firefox

Added: 2024-10-15

Due Date: 2024-11-05

Description:

Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-416

CVE-2024-30088

Microsoft Windows Kernel TOCTOU Race Condition Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2024-10-15

Due Date: 2024-11-05

Description:

Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-367

CVE-2024-9380

Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability

Vendor: Ivanti

Product: Cloud Services Appliance (CSA)

Added: 2024-10-09

Due Date: 2024-10-30

Description:

Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.

Required Action:

As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.

CWEs:

CWE-77

CVE-2024-9379

Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability

Vendor: Ivanti

Product: Cloud Services Appliance (CSA)

Added: 2024-10-09

Due Date: 2024-10-30

Description:

Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.

Required Action:

As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.

CWEs:

CWE-89

CVE-2024-23113

Fortinet Multiple Products Format String Vulnerability

Vendor: Fortinet

Product: Multiple Products

Added: 2024-10-09

Due Date: 2024-10-30

Description:

Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-134

CVE-2024-43573

Microsoft Windows MSHTML Platform Spoofing Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2024-10-08

Due Date: 2024-10-29

Description:

Microsoft Windows MSHTML Platform contains an unspecified spoofing vulnerability which can lead to a loss of confidentiality.

Required Action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-79