The US CISA has added another set of actively exploited flaws to its Known Exploited Vulnerabilities Catalog.
CVE-2022-47986 with a CVSS score: 9.8 – IBM Aspera Faspex Code Execution Vulnerability:
A remote attacker can trigger the vulnerability to execute arbitrary code on the system. The issue is caused by a YAML deserialization issue. Researchers from Shadowserver Foundation confirmed the active exploitation of the vulnerability in the wild.
CVE-2022-41223 with a CVSS score: 6.8 – Mitel Mi Voice Connect Code Injection Vulnerability:
An authenticated attacker with internal network access can trigger the flaw to execute code within the context of the application.
CVE-2022-40765 with a CVSS score: 6.8 – The Mitel Edge Gateway component of Mi Voice Connect:
An authenticated attacker with internal network access to execute commands within the context of the system.
CISA orders federal agencies to fix this flaw by March 14, 2023.