2024-10-24
CISA Adds Five Flaws to KEV Catalog, Including Three-Month-Old Microsoft SharePoint Deserialization Vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to their Known Exploited Vulnerabilities (KEV) database, including a Microsoft SharePoint deserialization flaw (CVE-2024-38094) that was initially disclosed in July. The other flaws added to KEV include an unspecified vulnerability in ScienceLogic SL1; a missing authentication vulnerability in Fortinet FortiManager (see story below); a cross-site scripting (XSS) Vulnerability in RoundCube Webmail; and a denial-of-service vulnerability in Cisco ASA and FTD (see story below).
Editor's Note
The fix for SharePoint has been out for three months, it should already be in place. The KEV due date is November 12. Ask why you're still running SharePoint on premises, and, if viable, insist on a plan to move to the hosted version.
Lee Neely
With these additions, CISA is up to 150 KEV entries for 2024. In comparison, VulnCheck had over 390 in the first 6 months. Why the disparity in numbers? Bottom line: defenders are best served by updating their software as patches become available; don't wait for it to be catalogued in a known exploited vulnerability database.