Hacker Alert: CISA Flags Trio of Actively Exploited Security Gaps!

Beware, digital world! CISA’s latest ‘Most Wanted’ list features three cyber culprits: Fortinet’s leaky SQL, Ivanti’s code-injecting chaos, and Nice’s command-conjuring crack. Patch up or face the hack-up! #CybersecurityAlert #PatchOrPerish

Hot Take:

Another day, another set of exploits! CISA’s adding vulnerabilities to their KEV catalog like they’re trading cards, and the cyber baddies are collecting them all. It’s like a twisted game of Pokémon where everyone loses, except for the hackers. And let’s talk about that “intentional backdoor” situation – it’s like leaving your keys under the mat and being shocked when someone waltzes into your house!

Key Points:

  • Three new vulnerabilities hit the cybersecurity scene’s Most Wanted list, courtesy of CISA’s KEV catalog.
  • Fortinet’s FortiClient EMS has a SQL injection vulnerability so fresh, it’s still got that new bug smell.
  • Ivanti’s Endpoint Manager might as well have rolled out the red carpet for hackers with its code injection vulnerability.
  • Nice Linear eMerge E3-Series is serving up remote code execution like it’s happy hour – and the threat actors are definitely happy.
  • Software manufacturers are still baking SQL injection vulnerabilities into their products like they’re a secret ingredient. Spoiler: They’re not.
Cve id: CVE-2023-48788
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 03/12/2024
Cve description: A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Cve id: CVE-2023-34362
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 06/23/2023
Cve description: In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Cve id: CVE-2019-7256
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 01/05/2023
Cve description: Linear eMerge E3-Series devices allow Command Injections.

Cve id: CVE-2021-44529
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/18/2023
Cve description: A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

Need to know more?

Fortinet's "Not-So-Fortified" Client

Fortinet's FortiClient EMS just can't catch a break – or maybe it catches too many. An SQL injection vulnerability so significant, it's got a CVSS score that's touching the sky. But Fortinet's being coy, confirming exploitation but keeping the details under wraps. It's like knowing there's a monster under the bed, but you're not sure if it's the boogeyman or just a dust bunny.

Ivanti's Oopsie Daisy Backdoor

A code injection vulnerability so convenient, it might as well be a drive-thru for hackers. And guess what? It might've been an "intentional backdoor," which is like saying, "Oops, did I accidentally install a revolving door for cybercriminals?" It's the cybersecurity equivalent of "it's not a bug, it's a feature!"

Nice Linear's Not-So-Nice Welcome

The Nice Linear eMerge E3-Series is the gift that keeps on giving – if you're a hacker. A remote code execution flaw with a perfect 10 CVSS score is like winning the cyber lottery for threat actors. And the best part? It's been around since 2019, just waiting to be exploited. It's like leaving your Christmas lights up all year round and being surprised when Santa shows up in July.

Federal Deadline Fun

Federal agencies now have the delightful task of patching these vulnerabilities by April 15, 2024. It's a race against the clock, with the prize being not getting hacked into oblivion. It's like reality TV for cybersecurity, except everyone's on the edge of their seat, and nobody's getting voted off the island.

The SQL Injection Saga Continues

Finally, CISA and the FBI are wagging their fingers at software manufacturers for keeping SQL injection flaws in vogue. It's 2023, and SQLi is still as fashionable as ever in the cyber world. It's like acid-washed jeans – they were cool in the '90s, but now they're just a sign you're stuck in the past. And just when you thought it couldn't get worse, here comes the Cl0p ransomware gang skipping down SQLi lane, breaching thousands of organizations. It's a mess, and not the kind you can clean up with a mop and bucket.

So what's the moral of the story? Patch your systems, folks. And maybe, just maybe, stop installing backdoors – intentional or not.

Tags: code injection vulnerability, Critical Security Flaws, CVE-2019-7256, CVE-2021-44529, CVE-2023-48788, SQL Injection Vulnerability, Vulnerability Exploitation