449/67 Thursday, December 19, 2024
The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities, Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference (CVE-2024-35250) and Adobe ColdFusion Improper Access Control (CVE-2024-20767), to its Known Exploited Vulnerabilities (KEV) catalog. Details of the vulnerabilities are as follows:
- CVE-2024-35250: With a CVSS score of 7.8, this is an Elevation of Privilege vulnerability in the Windows Kernel-Mode Driver. It allows attackers with system access to elevate their privileges to SYSTEM level. The complexity of the attack is low.
- CVE-2024-20767: With a CVSS score of 7.4, this is an Improper Access Control vulnerability in Adobe ColdFusion versions 2023.6, 2021.12, and earlier. Attackers can exploit this vulnerability to read unauthorized files. Exploitation occurs when the Admin Panel is enabled and accessible externally.
To mitigate these vulnerabilities, agencies under the Federal Civilian Executive Branch (FCEB) must address them within the specified timeframe. CISA has set a deadline of January 6, 2025, for remediation to prevent potential exploitation.
