The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a now-patched high-severity safety flaw impacting Acclaim Programs USAHERDS to the Recognized Exploited Vulnerabilities (KEV) catalog, according to proof of lively exploitation within the wild.
The vulnerability in query is CVE-2021-44207 (CVSS ranking: 8.1), a case of hard-coded, static credentials in Acclaim USAHERDS that might permit an attacker to in the end execute arbitrary code on inclined servers.
In particular, it issues using static ValidationKey and DecryptionKey values in model 7.4.0.1 and prior which may be weaponized to succeed in faraway code execution at the server that runs the applying. That stated, an attacker must leverage another method to acquire the keys within the first position.
“Those keys are used to supply safety for the applying ViewState,” Google-owned Mandiant stated in advisory for the flaw again in December 2021. “A risk actor with wisdom of those keys can trick the applying server into deserializing maliciously crafted ViewState knowledge.”
“A risk actor with wisdom of the validationKey and decryptionKey for a internet software can assemble a malicious ViewState that passes the MAC take a look at and will likely be deserialized via the server. This deserialization may end up in the execution of code at the server.”
Whilst there aren’t any new studies of CVE-2021-44207 being weaponized in real-world assaults, the vulnerability was once recognized as being abused via the China-linked APT41 risk actor again in 2021 as a zero-day as a part of assaults focused on six U.S. state executive networks.
Federal Civilian Government Department (FCEB) companies are really useful to use vendor-provided mitigations via January 13, 2025, to safeguard their networks towards lively threats.
The advance comes as Adobe warned of a essential safety flaw in ColdFusion (CVE-2024-53961, CVSS ranking: 7.8), which it stated already has a recognized proof-of-concept (PoC) exploit that might motive an arbitrary document machine learn.
The vulnerability has been addressed in ColdFusion 2021 Replace 18 and ColdFusion 2023 Replace 12. Customers are instructed to use the patches once imaginable to mitigate attainable dangers.