October 3, 2023

The U.S. CISA recently added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

VMware Aria Remote Command Execution

First on the list is the critical vulnerability CVE-2023-20887. This flaw resides within the VMware Aria Operations for Networks, with a menacing CVSS score of 9.8. The security flaw enables remote attackers to execute arbitrary commands on a system, owing to a command injection vulnerability. Through a specially crafted request, an attacker can seize control and conduct damaging activities.

Roundcube Webmail Vulnerabilities

The popular webmail software, Roundcube, has landed on CISA’s radar thrice, underscoring the severity of security risks surrounding this tool.


The first vulnerability, CVE-2020-35730, involves cross-site scripting (XSS) in Roundcube Webmail. With a CVSS score of 6.1, this flaw originates from inadequate validation of user-supplied input by the rcube_string_replacer.php script. Remote attackers could exploit this vulnerability to execute a script in a victim’s web browser within the security context of the hosting website, potentially stealing cookie-based authentication credentials.

Next, the CVE-2020-12641 vulnerability allows remote attackers to execute arbitrary code on the system. The flaw lies within the rcube_image.php script, allowing attackers to leverage shell metacharacters through the m_convert_path or im_identify_path parameter, enabling code execution.

The final one is CVE-2021-44026, an SQL injection vulnerability allows attackers to send maliciously crafted SQL statements to the search or search_params session item. This flaw can enable attackers to view, modify, or delete information in the back-end database.

Mozilla Firefox and Thunderbird Vulnerability

CVE-2016-9079 resides in Mozilla’s Firefox browser and Thunderbird email client. With a CVSS score of 8.8, this flaw allows remote attackers to execute arbitrary code, stemming from a use-after-free vulnerability in SVG Animation. Attackers can manipulate victims into visiting a specially crafted website to exploit the vulnerability, resulting in arbitrary code execution or even a denial of service.


Microsoft Privilege Escalation Vulnerability

Lastly, CVE-2016-0165 targets the heart of many organizations: Microsoft Windows. This vulnerability allows a local authenticated attacker to gain elevated privileges due to improper handling of objects in memory by the kernel-mode driver. By running a specially crafted program, an attacker could exploit this flaw to execute arbitrary code in kernel mode.

The Federal Civilian Executive Branch (FCEB) agencies are racing against time to patch their networks before the July 13, 2023, deadline.

Leave a Reply

%d bloggers like this: