CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2023-38180 Microsoft .NET Core and Visual Studio Denial of Service Vulnerability. An unspecified vulnerability that allows for denial of service.
- CVE-2017-18368 Zyxel P660HN-T1A Routers Command Injection Vulnerability. Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
The remediation timeline for these vulnerabilities set as August 28 & 30 2023 respectively.
BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats