CISA adds Vulnerabilities to Known Exploited Catalog Part II – February 2023
The US CISA adds Intel, Terramaster, GoAnywhere MFT flaws, respectively tracked as CVE-2015-2291, CVE-2022-24990 and CVE-2023-0669 to its Known Exploited Vulnerabilities Catalog.
The first flaw tracked as CVE-2015-2291 with a CVSS score of 7.8 resides in Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service.
The second flaw tracked as CVE-2022-24990, Terramaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint. TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending “User-Agent: TNAS” to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
The third flaw tracked as CVE-2023-0669, resides GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker controlled object. This issue was patched in version 7.1.2
Organisations are advised to fix the vulnerability following OEM advisory and given a due date as 3rd March 2023.