80/68 Thursday, February 27, 2025
The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities—CVE-2017-3066 in Adobe ColdFusion and CVE-2024-20953 in Oracle Agile Product Lifecycle Management (PLM)—to its Known Exploited Vulnerabilities (KEV) catalog. The details of these vulnerabilities are as follows:
- CVE-2017-3066 has a CVSS severity score of 9.8 and is a Java Deserialization vulnerability in Apache BlazeDS, affecting Adobe ColdFusion 2016 Update 3 and earlier versions. This flaw enables remote code execution (RCE), allowing attackers to execute malicious code remotely.
- CVE-2024-20953 has a CVSS severity score of 8.8 and is a Deserialization of Untrusted Data vulnerability in Oracle Agile PLM version 9.3.6. This flaw allows attackers to gain system control via HTTP requests.
To mitigate the risks associated with these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary security updates by March 24, 2025, in accordance with Binding Operational Directive (BOD) 22-01. This directive aims to reduce the risks posed by actively exploited vulnerabilities. Additionally, CISA strongly recommends that private organizations review the KEV catalog and implement appropriate security measures to protect against potential attacks.
