The US Cybersecurity & Infrastructure Security Agency (CISA) has added 2 security flaws impacting Adobe ColdFusion & Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalogue, based on evidence of active exploitation.
The vulnerabilities in question are listed below –
- CVE-2017-3066 (CVSS score: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion in the Apache BlazeDS library that allows for arbitrary code execution. (Fixed in April 2017)
- CVE-2024-20953 (CVSS score: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that allows a low-privileged attacker with network access via HTTP to compromise the system. (Fixed in Jan. 2024)
Oracle Agile PLM
There are currently no public reports referencing the exploitation of the vulnerabilities, although another flaw impacting Oracle Agile PLM (CVE-2024-21287, CVSS score: 7.5) came under active abuse late 2024.
To lessen the risks posed by potential attacks weaponizing these flaws, it is recommended that users take steps to apply the necessary updates. US Federal agencies have time until March 17, 2025, to secure their networks against the threats.
Active Exploitation
The development comes as threat intelligence firm GreyNoise revealed active exploitation attempts targeting CVE-2023-20198, a now-patched security flaw affecting vulnerable Cisco devices.
As many as 110 malicious IPs, mainly originating from Bulgaria, Brazil, & Singapore have been linked to the malicious activity.
“Two malicious IPs exploited CVE-2018-0171 in Dec. 2024 and Jan. 2025, originating from Switzerland & the US — the same period when Salt Typhoon, a Chinese state-sponsored threat group, reportedly breached telecom networks using CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Research Team said.
