Adrian Johnson
TLDR:
- CISA has added two security flaws to its Known Exploited Vulnerabilities list, including a use-after-free vulnerability in Internet Explorer and an information disclosure bug in Twilio Authy.
- Agencies must remediate these vulnerabilities by August 13, 2024.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently announced the addition of two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation. The first vulnerability, CVE-2012-4792, is a use-after-free vulnerability in Internet Explorer that could allow remote attackers to execute arbitrary code. This flaw was previously exploited in watering hole attacks in 2012 but it’s unclear if there are renewed exploitation attempts. The second vulnerability, CVE-2024-39891, is an information disclosure bug in Twilio Authy that was recently resolved by Twilio after threat actors leveraged it to access information related to Authy accounts.
CISA emphasized the importance of remediating these vulnerabilities to protect federal enterprise networks from active threats. The Federal Civilian Executive Branch (FCEB) agencies are required to address these vulnerabilities by August 13, 2024. These types of vulnerabilities are commonly targeted by malicious cyber actors and pose significant risks, making prompt action essential for securing networks.
It is crucial for organizations to stay vigilant against emerging threats and promptly address known vulnerabilities to safeguard their networks and data. Following standard cybersecurity best practices, such as timely patching and updating of software, can help mitigate the risks posed by these and other vulnerabilities.
