The American cyber defence agency CISA has updated its known vulnerability catalogue with exploited vulnerabilities found in ServiceNow, a cloud-based workflow management platform, and Acronis Cyber Infrastructure, a personal-use cyber protection product.
These vulnerabilities are CVE-2024-4879, CVE-2024-5217 and CVE-2023-45249.
The first has a CVSS rating of 9.3 and is an input validation vulnerability identified in two versions of the Service Now software (Vancouver and Washington DC).
The vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. After being made aware of the exploit, ServiceNow has patched the affected versions in an update.
The second ServiceNow vulnerability (CVSS 9.2) is a similar input validation vulnerability that could be exploited due to an incomplete list of disallowed inputs. It also allows for unauthenticated remote code execution within the platform, and has since been patched.
Both these vulnerabilities have been exploited in the wild and The Stack has previously reported on how these two vulnerabilities (along with a third, less severe flaw) left more than 42,000 ServiceNow instances exposed.
A spokesperson told us: "On May 14, 2024, ServiceNow learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases. That day, we deployed an update and have since issued a series of patches designed to address the issue.
"We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches."
The third vulnerability CISA added to its catalogue is an insecure default password vulnerability exploited in a number of Acronis Cyber Infrastructure (ACI) products, with a CVSS score of 9.8
These include ACI before build 5.0.1-61, ACI before build 5.1.1-71, ACI before build 5.2.1-69, ACI before build 5.3.1-53, and ACI before build 5.4.4-132.
Due to the use of default passwords, the vulnerability allows threat actors to execute arbitrary code remotely. While an Acronis advisory admitted that the vulnerability was being exploited in the wild, no further details were provided.
The company has made patches for the vulnerabilities available and advised clients to apply them immediately.
An Acronis spokesperson told The Stack: "CISA added CVE-2023-45249 to the list of known exploited vulnerabilities. Acronis identified the vulnerability nine months ago, and a security patch was released immediately.
"Customers running the older version of Acronis Cyber Infrastructure impacted by the vulnerability were promptly informed, provided a patch and recommended upgrading to the new version. Acronis Cyber Protect Cloud, Acronis Cyber Protect and Acronis True Image customers were not affected by the vulnerability.”