CISA KEV Update Part III – April 2023
The US CISA added the following five new issues to its Known Exploited Vulnerabilities Catalog:
- CVE-2023-20963 – Android Framework Privilege Escalation Vulnerability. Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed;
- CVE-2023-29492 – Novi Survey Insecure Deserialization Vulnerability. Novi Survey contains an insecure deserialization vulnerability that allows remote attackers to execute code on the server in the context of the service account;
Google addressed the vulnerability CVE-2023-20963 with the release of Android Security Bulletin—March 2023 security updates. The bulletin confirmed that “there are indications that CVE-2023-20963 may be under limited, targeted exploitation.
The other vulnerabilities are recently patched Microsoft CLFS zeroday and Apple Zerodays
CISA orders federal agencies to fix this flaw by May 4, 2023.