The US CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog.
Five of the issues added by CISA to its catalog are part of the exploits used by surveillance vendors to target mobile devices with their commercial spyware:
- CVE-2021-30900 – Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability.
- CVE-2022-38181 – Arm Mali GPU Kernel Driver Use-After-Free Vulnerability
- CVE-2023-0266 – Linux Kernel Use-After-Free Vulnerability
- CVE-2022-3038 – Google Chrome Use-After-Free Vulnerability
- CVE-2022-22706 – Arm Mali GPU Kernel Driver Unspecified Vulnerability
Based on the recent report published by Google’s Threat Analysis Group that shared details about two distinct campaigns that used several zero-day exploits against Android, iOS, and Chrome. The experts pointed out that both campaigns were limited and highly targeted. The threat actors behind the attacks used both zero-day and n-day exploits in their exploits.
The exploits were used to install commercial spyware and malicious apps on targets’ devices.
The remaining flaws added to the catalog are:
- CVE-2013-3163 – Microsoft Internet Explorer Memory Corruption Vulnerability
- CVE-2017-7494 – Samba Remote Code Execution Vulnerability
- CVE-2022-42948 – Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability
- CVE-2022-39197 – Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
CISA orders federal agencies to fix this flaw by April 20, 2023.