CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Hot off the press!

• CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability
• CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability
• CVE-2021-41277 (perfect 10.0 🥳) Metabase GeoJSON API Local File Inclusion Vulnerability
• CVE-2014-2120 (CVSSv2: 4.3 medium) Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
• CVE-2021-26086 (5.3 medium) Atlassian Jira Server and Data Center Path Traversal Vulnerability

#cisa #kev #knownexploitedvulnerabilitiescatalog #cisakev #vulnerability #cve #eitw #activeexploitation #infosec #cybersecurity

Cisco updated a security advisory from 2014: Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability

In November 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.

CVE-2014-2120 (CVSSv2: 4.3 medium) Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability was already added to CISA's KEV Catalog on 12 November 2024, with the vendor likely the source of the exploitation evidence.

#cisco #CiscoASA #CVE_2024_2120 #cybersecurity #infosec #vulnerability #eitw #cve #activeexploitation

@screaminggoat I love that Cisco knows their customers well enough that they need to continue to recommend patching a 10-year-old vuln.

@cR0w yet I also see sentences like this:

Cisco has not released and will not release software updates to address the vulnerability described in this advisory. Cisco {product} have entered the end-of-life process.

@screaminggoat @cR0w Typical translation: “the team that wrote the code ain’t here anymore.”

(former Cisco PSIRT)

@miri @screaminggoat So basically