The US Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its known exploits (KEV) catalog based on evidence of active operation.
The vulnerabilities are listed below –
- CVE-2012-4792 (CVSS Score: 9.3) – Exploitation vulnerability after release from Microsoft Internet Explorer
- CVE-2024-39891 (CVSS Score: 5.3) – Twilio Authy Information Disclosure Vulnerability
CVE-2012-4792 is a decade-old vulnerability in Internet Explorer that could allow a remote attacker to execute arbitrary code via a specially crafted website.
It is currently unclear whether this flaw has been subject to repeated exploit attempts, although it has been exploited as part of watering hole attacks targeted the Council on Foreign Relations (CFR) and Capstone Turbine Corporation sites back in December 2012.
On the other hand, CVE-2024-39891 refers to an information disclosure flaw in an unauthenticated endpoint that could be used to “take a request containing a phone number and respond with information about whether the phone number was registered with Authy.”
Earlier this month, Twilio said this fixed an issue in versions 25.1.0 (Android) and 26.1.0 (iOS) after unknown threat actors exploited the flaw to identify data associated with Authy accounts.
“These types of vulnerabilities are common attack vectors for attackers in cyberspace and pose a significant risk to federal enterprises,” CISA said in the consulting room.
Federal Civilian Executive Branch (FCEB) agencies have until August 13, 2024 to patch discovered vulnerabilities to protect their networks from active threats.