July 24, 2024 at 03:04AM
The U.S. CISA has added two security flaws to its Known Exploited Vulnerabilities catalog, including a decade-old use-after-free vulnerability in Internet Explorer and an information disclosure bug in Twilio Authy. CISA advised FCEB agencies to remediate the vulnerabilities by August 13, 2024, to protect against active threats.
From the meeting notes, it is clear that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The vulnerabilities are identified as follows:
1. CVE-2012-4792 (CVSS score: 9.3) – Microsoft Internet Explorer Use-After-Free Vulnerability
– This is an old vulnerability in Internet Explorer that could allow a remote attacker to execute arbitrary code via a specially crafted site. It had been exploited in the past as part of watering hole attacks targeting specific websites.
2. CVE-2024-39891 (CVSS score: 5.3) – Twilio Authy Information Disclosure Vulnerability
– This refers to an information disclosure bug in an unauthenticated endpoint that could allow an attacker to obtain information about whether a phone number was registered with Authy. Threat actors had taken advantage of this vulnerability but Twilio has since resolved the issue in specific versions of its software.
CISA has advised Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by August 13, 2024, in order to protect their networks against active threats.
For more exclusive content, you can follow the organization on Twitter and LinkedIn.