VMware, Adobe bugs exploited in active attacks as Cisco warns of critical ‘10.0’ flaw
VMware, SolarWinds and Adobe users are being warned that vulnerabilities found in each of the products are under active attack. On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
Impacted products include Adobe Commerce (CVE-2024-34102), SolarWinds Serv-U (CVE-2024-28995) and VMware vCenter Server (CVE-2022-22948)
CISA’s warning dovetails another dire vulnerability alert from Cisco of a critical bug with a CVSS rating of 10.0. The vulnerability resides in the authentication system of the networking giant’s Cisco Smart Software Manager On-Prem (SSM On-Prem). According to Cisco, the flaw could let an unauthenticated, remote attacker change the password of any user, including administrative users.
In an advisory, Cisco said the vulnerability was caused by an improper implementation of the password change process. Cisco said an attacker could exploit this bug by sending crafted HTTP requests to an affected device. A successful exploit could let an attacker access the web UI or API with the privileges of the compromised user.
Cisco has released software updates for the vulnerability — CVE-2024-20419 — and there are no workarounds.
The bugs added to the KEV catalog by CISA are as follows:
- CVE-2024-34102, 9.8: NIST said a critical bug was found in Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. They are affected by an improper restriction of an XML external entity reference (XXE) vulnerability that could result in arbitrary code execution. NIST said an attacker could exploit this vulnerability by sending a crafted XML document that references external entities, adding that exploitation of this issue does not require user interaction.
- CVE-2024-28995, 7.5: According to NIST, SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
- CVE-2022-22948, 6.5: The vCenter Server contains a medium-severity information disclosure vulnerability caused by improper permission of files. NIST said a malicious actor with non-administrative access to the vCenter Server could exploit this issue to gain access to sensitive information.