Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

Mar 04, 2025The Hacker NewsCyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The list of vulnerabilities is as follows –

• CVE-2023-20118 (CVSS score: 6.5) – A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status)
• CVE-2022-43939 (CVSS score: 8.6) – An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1)
• CVE-2022-43769 (CVSS score: 8.8) – A special element injection vulnerability in Hitachi Vantara Pentaho BA Server that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1)
• CVE-2018-8639 (CVSS score: 7.8) – An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018)
• CVE-2024-4885 (CVSS score: 9.8) – A path traversal vulnerability in Progress WhatsUp Gold that allows an unauthenticated attacker to achieve remote code execution (Fixed in version 2023.1.3 in June 2024)

There are little-to-no reports about how some of the aforementioned flaws are weaponized in the wild, but French cybersecurity company Sekoia revealed last week that threat actors are abusing CVE-2023-20118 to rope susceptible routers into a botnet called PolarEdge.

As for CVE-2024-4885, the Shadowserver Foundation said it has observed exploitation attempts against the flaw as of August 1, 2024. Data from GreyNoise shows that as many as eight unique IP addresses from Hong Kong, Russia, Brazil, South Korea, and the United Kingdom are linked to the malicious exploitation of the vulnerability.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are urged to apply the necessary mitigations by March 24, 2025, to secure their networks.