The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with two new security flaws that are currently being exploited. The first vulnerability, CVE-2012-4792, is a use-after-free issue in Microsoft Internet Explorer. This flaw, which has been known for over a decade, could allow attackers to execute arbitrary code through a specially crafted website. Although it was previously exploited in targeted attacks against specific organizations, it is unclear if it has seen renewed exploitation recently.
The second vulnerability listed, CVE-2024-39891, affects Twilio’s Authy service. This flaw, with a CVSS score of 5.3, involves an information disclosure issue that occurs through an unauthenticated endpoint. Attackers could exploit this vulnerability to obtain information about whether a phone number is registered with Authy. Twilio has addressed this issue in recent updates to its mobile applications, but it was previously exploited to gather data on Authy accounts.
CISA’s advisory highlights the critical nature of these vulnerabilities, stressing that they are frequent targets for malicious actors and pose serious risks to cybersecurity. Federal Civilian Executive Branch (FCEB) agencies are mandated to address these vulnerabilities by August 13, 2024, to protect their networks from potential threats.
The inclusion of these vulnerabilities in the KEV catalog underscores the ongoing challenge of securing systems against both longstanding and emerging threats. Agencies and organizations are encouraged to implement necessary patches and safeguards promptly to mitigate the risks associated with these vulnerabilities.