BACK TO NEWS
CERT Advisories

CISA Flags Four Actively Exploited Vulnerabilities in KEV Catalog Update

3 min readSource: CISA Cybersecurity Advisories
CVE-2019-19006

CISA adds four critical vulnerabilities to its Known Exploited Vulnerabilities Catalog, including flaws in Sangoma, D-Link, and Adobe products with active exploitation evidence.

CISA Updates KEV Catalog with Four Actively Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild. Federal agencies and organizations are urged to prioritize remediation of these flaws to mitigate ongoing cyber threats.

Vulnerabilities Added to KEV Catalog

The newly listed vulnerabilities include:

  1. CVE-2019-19006 – Sangoma FreePBX

    • Type: Remote Code Execution (RCE)
    • Affected Product: Sangoma FreePBX (a widely used open-source PBX system)
    • Impact: Allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests.

  2. CVE-2019-2725 – Oracle WebLogic Server

    • Type: Deserialization RCE
    • Affected Product: Oracle WebLogic Server (versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0)
    • Impact: Exploitable without authentication, enabling attackers to take control of vulnerable servers.

  3. CVE-2019-17621 – D-Link DIR-859 Router

    • Type: Command Injection
    • Affected Product: D-Link DIR-859 (firmware versions prior to 1.06)
    • Impact: Remote attackers can execute arbitrary commands via a crafted HTTP request.

  4. CVE-2016-4117 – Adobe Flash Player

    • Type: Use-After-Free RCE
    • Affected Product: Adobe Flash Player (versions 21.0.0.226 and earlier)
    • Impact: Exploitable via malicious Flash content, leading to arbitrary code execution.

Technical Analysis and Exploitation Evidence

CISA’s inclusion of these vulnerabilities in the KEV Catalog indicates confirmed exploitation by threat actors. While specific attack details remain undisclosed, the following observations apply:

  • CVE-2019-19006 (Sangoma FreePBX): Exploits target exposed web interfaces, often found in misconfigured VoIP deployments.
  • CVE-2019-2725 (Oracle WebLogic): Historically targeted by ransomware groups (e.g., Sodinokibi/REvil) and cryptocurrency miners.
  • CVE-2019-17621 (D-Link DIR-859): Router vulnerabilities are frequently leveraged in botnet recruitment (e.g., Mirai variants).
  • CVE-2016-4117 (Adobe Flash): Legacy Flash vulnerabilities remain a persistent attack vector in unpatched environments.

Impact and Mitigation Recommendations

Organizations using affected products should take immediate action:

  • Patch Prioritization: Apply vendor-supplied updates without delay. Federal agencies must remediate by the CISA-mandated deadline (typically within 2–4 weeks).
  • Network Segmentation: Isolate vulnerable systems (e.g., VoIP servers, routers) from critical infrastructure.
  • Exposure Reduction: Disable unnecessary services (e.g., Flash Player) and restrict access to administrative interfaces.
  • Threat Monitoring: Deploy intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts.

Next Steps for Security Teams

  1. Inventory Check: Identify all instances of affected products in your environment.
  2. Vulnerability Scanning: Use tools like Nessus or OpenVAS to detect unpatched systems.
  3. Incident Response: Investigate potential compromise if exploitation is suspected.

For further guidance, refer to CISA’s KEV Catalog and vendor advisories.

Original advisory: CISA Alert AA26-033A

Share

TwitterLinkedIn