Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

2 Actively Exploited Security Flaws in Adobe & Oracle Products Noted by CISA!

2 Actively Exploited Security Flaws in Adobe & Oracle Products Noted by CISA!

The US Cybersecurity & Infrastructure Security Agency (CISA) has added 2 security flaws impacting Adobe ColdFusion & Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalogue, based on evidence of active exploitation.

The vulnerabilities in question are listed below –

  • CVE-2017-3066 (CVSS score: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion in the Apache BlazeDS library that allows for arbitrary code execution. (Fixed in April 2017)
  • CVE-2024-20953 (CVSS score: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that allows a low-privileged attacker with network access via HTTP to compromise the system. (Fixed in Jan. 2024)

Oracle Agile PLM

There are currently no public reports referencing the exploitation of the vulnerabilities, although another flaw impacting Oracle Agile PLM (CVE-2024-21287, CVSS score: 7.5) came under active abuse late 2024.

To lessen the risks posed by potential attacks weaponizing these flaws, it is recommended that users take steps to apply the necessary updates. US Federal agencies have time until March 17, 2025, to secure their networks against the threats.

Active Exploitation

The development comes as threat intelligence firm GreyNoise revealed active exploitation attempts targeting CVE-2023-20198, a now-patched security flaw affecting vulnerable Cisco devices.

As many as 110 malicious IPs, mainly originating from Bulgaria, Brazil, & Singapore have been linked to the malicious activity.

“Two malicious IPs exploited CVE-2018-0171 in Dec. 2024 and Jan. 2025, originating from Switzerland & the US — the same period when Salt Typhoon, a Chinese state-sponsored threat group, reportedly breached telecom networks using CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Research Team said.

 

SHARE ARTICLE