4 Critical, Known Exploited Vulnerabilities Added to KEV Catalog

The Cybersecurity & Infrastructure Security Agency (CISA) has added four new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalogue, citing evidence of active exploitation. 

The vulnerabilities are as follows:

• Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability (CVE-2014-3931) 
• PHPMailer Command Injection Vulnerability (CVE-2016-10033) 
• Rails Ruby on Rails Path Traversal Vulnerability (CVE-2019-5418) 
• Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-9621) 

Below, security leaders elaborate on these vulnerabilities and discuss the risks. 

Security Leaders Weigh In 

Jason Soroko, Senior Fellow at Sectigo:

The four flaws recently flagged by CISA illustrate how forgotten code can outlive its news cycle. Security teams should not let the publication date lull them into complacency.  

• CVE-2014-3931 still lurks in aging Multi Router Looking Glass instances where the fastping buffer overflow lets a remote user corrupt memory.  
• CVE-2016-10033 haunts legacy web apps that never replaced or updated PHPMailer, allowing hostile input to hijack the mail routine and run arbitrary commands.  
• CVE-2019-5418 keeps exposing Ruby on Rails' servers when crafted accept headers trick render calls into disclosing local files, with proof-of-concept chains that reach code execution in some setups.  
• Only CVE-2019-9621 has a known campaign: Trend Micro tied the Earth Lusca group to widespread Zimbra breaches in 2023 that planted web shells and Cobalt Strike beacons via the SSRF bug.

James Maude, Field CTO at BeyondTrust:

Just like fashion trends, the lifecycle of a vulnerability can be cyclical. If you get it wrong, it can really come back to bite you. With huge volumes of vulnerabilities reported every year, the challenge many organizations face is that if they don’t patch it within the first 90 days, they might never patch it. In some cases, risks of not patching will be accepted as they may be mitigated by access controls However, once an attacker is within the network or able to access the system then those historic mitigations fail.

As an industry, this should be a bit of a wake-up call that prevention isn’t dead. Software patching, implementing least privilege, and controlling execution are hugely effective defenses that shouldn’t be dismissed in favor the latest detection trends. One of the challenges many organizations face is holistic visibility of their attack surface, that could be through unpatched software vulnerabilities or increasingly their identity attack surface both of which have likely grown significantly over the years. 

While many might be surprised at the age of these vulnerabilities when it comes to threat actors “it ain’t stupid if it works” and in many cases compromising the right identity will provide access to a VPN and a network full of vulnerable systems. When it comes, any exploit, be that one from a decade ago to a brand new zero day, the more you can control the privilege and access of identities the less risk you are exposed to. Now is the time to patch and proactively reduce the attack surface.

Mr. Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit:

The inclusion of these older, but actively exploited, vulnerabilities in the CISA KEV catalog cements the fact that threat actors are adept at finding and abusing unpatched software regardless of their age. This shows that threat actors often select vulnerabilities based on their ability to maximize access, persistence and impact within a target environment rather than their age.

Organizations should not assume that only new vulnerabilities are being targeted. What's more is that all affected products are commonly accessible from the internet or serve as critical infrastructure — such as email servers, web application frameworks, and network diagnostic tools, making them prime targets for automated scanning and exploitation. To address these vulnerabilities, organizations should:

1. Conduct a thorough inventory to locate all systems running vulnerable software, including legacy and shadow IT assets. 
2. Dependencies should also be identified as PHPMailer can be used in web applications, Rails in other SaaS platforms.
3. Limit access to diagnostic tools (like MRLG) and collaboration platforms (like Zimbra) to only trusted networks or users.
4. Use network segmentation via firewalls and access control lists to minimize unnecessary exposure of services to the internet.

Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch:

The recent addition of four older, yet actively exploited vulnerabilities (CVE-2014-3931, CVE-2016-10033, CVE-2019-5418, CVE-2019-9621) to the United States Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog highlights a critical, often underestimated aspect of modern cybersecurity: the persistent danger of long-standing, unpatched flaws. Organizations cannot afford to dismiss a vulnerability listed on the KEV solely based on its discovery date. The KEV catalog provides a crucial indication that even deeply embedded, older flaws are being actively weaponized. Despite being between five and 10 years old, these four vulnerabilities represent opportunities for a variety of threat actors, ranging from financially motivated cybercriminals to sophisticated state-sponsored groups such as Earth Lusca, identified by Trend Micro.

The age of a vulnerability can actually amplify the threat, due to the increased likelihood of unpatched instances across various systems. Older vulnerabilities, even those dating back years, can still pose a significant threat to organizations for several reasons. Most notably, once a vulnerability is disclosed and a CVE ID is assigned, detailed information, particularly exploitation proof-of-concept (PoC) code, often becomes readily available shortly thereafter. This means that even less-skilled attackers can easily find vulnerable systems and use these exploits. Cybercriminals also often create and share toolkits, automated scanning tools that specifically look for these well-known, unpatched vulnerabilities, making it easy to identify vulnerable organizations. There have been many examples over the years including the Equifax data breach in 2017, which was attributed to a failure to patch a known vulnerability (CVE-2017-5638) in the Apache Struts framework, which had a fix available months prior.