Over the past few days, several critical vulnerabilities have been caught exploited by threat actors in the wild. These vulnerabilities were added to CISA's KEV catalog and other vulnerability catalogs. We have analyzed the ones that are remotely exploitable and added detection for them in Ostorlab KEV.

• CVE-2023-48788

CVE-2023-48788 is sql injection in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 that allows attacker to execute unauthorized commands via specially crafted packets. the vulnerability was given a 9.8 CVSS score as it can be exploited without authentication.

Threat actors have been observed leveraging this vulnerability to gain a foothold into corporate networks.

• CVE-2021-44529

CVE-2021-44529 is an unauthenticated OS command injection affecting the Ivanti EPM Cloud Services Appliance (CSA), the vulnerability was given 9.8 CVSS score.

Some researchers considered this CVE more of a backdoor than a vulnerability given that it was carefully buried within one of the PHP files.

• CVE-2023-24955

CVE-2023-24955 and CVE-2023-29357 respectively are an authentication bypass vulnerability and remote code execution in Microsoft Sharepoint reported during Pwn2Own Vancouver.

The vulnerability was patched last summer but only recently added to CISA KEV, the reason is that it took attackers some time to weaponize the released PoC as it does not achieve RCE right away, but requires knowing a valid username that is not part of the built-in administrators group.

• CVE-2019-7256

CVE-2019-7256 is an unauthenticated OS command injection the Linear eMerge E3-Series devices, the vulnerability was given a 10.0 CVSS score as it can be easily exploited without authentication.