Four vulnerabilities in SAP, D-Link, DrayTek and Motion Spell products were added to the Known Exploited Vulnerabilities (KEV) catalog Monday by the Cybersecurity & Infrastructure Security Agency (CISA)
The vulnerabilities, most of which are several years old, pose risks including privilege escalation and remote command execution. Due to targeting of these flaws by threat actors, federal civilian executive branch agencies are required to remediate these vulnerabilities by Oct. 21, 2024.
The oldest vulnerability, affecting SAP Commerce Cloud (formerly SAP Hybris Service Cloud) and tracked as CVE-2019-0344, has a critical CVSS score of 9.8 and could enable a remote attacker to execute arbitrary code with the same rights as a “Hybris” user account on the target machine.
CVE-2019-0344 is caused by unsafe deserialization used by the extension “virtualjdbc” in the vulnerable versions, which include versions 6.4, 6.5, 6.6, 6.7, 1808, 1811 and 1905. Customers can use the SAP Support Portal for guidance on upgrading to a patched version of the software.
Another critical vulnerability, tracked as CVE-2020-15415, affects DrayTek Vigor3900, Vigor2960, and Vigor300B routers prior to firmware version 1.5.1. This vulnerability enables remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used. In this case, filenames are not properly sanitized for special characters when communicating with cgi-bin/mainfunction.cgi/cvmcfgupload.
Downloads for the fixed firmware version 1.5.1.1 for each device are available from the Draytek website.
The newest vulnerability among the latest KEV entries is tracked as CVE-2023-25280 and also has a critical CVSS score of 9.8. It is present in D-Link DIR820LA1_FW105B03 (router model DIR-820L, hardware version A1, firmware version 105B03) and can enable an attacker to escalate to root privileges by sending a crafted payload with the ping_addr parameter to ping.ccp.
A proof-of-concept (PoC) exploit has been available for CVE-2023-25280 since February 2023 and Palo Alto Networks’ Unit 42 detected exploitation of the vulnerability in the wild in April 2023. As the D-Link DIR-820L router is an end-of-life model, users are advised to discontinue use of the product to prevent exploitation.
The final vulnerability added to the KEV, tracked as CVE-2021-4043, has a medium severity CVSS score of 5.8 and is a null pointer dereference flaw in GPAC open-source multimedia framework that could lead to denial-of-service. This vulnerability has a PoC exploit and affects versions of GPAC prior to 1.1.0. The KEV entry specifically references Motion Spell’s implementation of GPAC as being exploited in the wild.
