The Cybersecurity and Infrastructure Security Agency has updated its Known Exploited Vulnerabilities catalog to include an old critical use-after-free flaw impacting Internet Explorer, tracked as CVE-2012-4792, and a medium severity information disclosure bug affecting Twilio Authy, tracked as CVE-2024-39891, with federal agencies urged to remediate both security issues by August 13, The Hacker News reports.
Even though there has been no clear evidence indicating ongoing active exploitation of CVE-2012-4792, the vulnerability, which could enable remote execution of arbitrary code, had been leveraged in watering hole attacks deployed against Capstone Turbine Corporation and the Council on Foreign Relations almost 12 years ago. Meanwhile, attacks leveraging CVE-2024-39891 have been deployed by threat actors looking to identify Authy account-related data before being addressed by Twilio earlier this month. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," said CISA.