The Cybersecurity and Infrastructure Security Agency (CISA) has added four new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling immediate patching requirements for organizations worldwide. These security flaws, currently being weaponized by threat actors, affect widely used software from Microsoft, Linux, and other major vendors.

The Newly Added Vulnerabilities

CISA's latest update includes the following critical vulnerabilities that federal agencies must remediate by March 7, 2024:

  1. CVE-2023-36025 (Microsoft Windows SmartScreen Security Feature Bypass)
    - CVSS Score: 7.8 (High)
    - Allows attackers to bypass Windows Defender SmartScreen checks
    - Requires user interaction but enables malware delivery

  2. CVE-2023-35641 (Windows MSHTML Platform Elevation of Privilege)
    - CVSS Score: 7.8 (High)
    - Could lead to SYSTEM-level access on compromised machines
    - Being actively exploited in phishing campaigns

  3. CVE-2023-38260 (Adobe ColdFusion Deserialization Vulnerability)
    - CVSS Score: 9.8 (Critical)
    - Remote code execution flaw affecting web applications
    - Already incorporated into ransomware attack chains

  4. CVE-2023-29300 (Linux Kernel Use-After-Free Vulnerability)
    - CVSS Score: 7.8 (High)
    - Affects multiple Linux distributions
    - Can lead to privilege escalation attacks

Why These Vulnerabilities Matter

These vulnerabilities represent particularly dangerous attack vectors because:

  • They affect core operating system components
  • Exploitation requires minimal user interaction
  • Several have publicly available proof-of-concept code
  • Attackers are actively incorporating them into exploit kits

Organizations should immediately:

  1. Prioritize patching based on CISA's binding operational directive
  2. Implement network segmentation to limit lateral movement
  3. Enhance monitoring for exploitation attempts
  4. Update endpoint protection rules to detect exploit patterns

The Bigger Picture

This update continues CISA's effort to:

  • Reduce organizational attack surfaces
  • Standardize vulnerability response timelines
  • Improve information sharing between public and private sectors
  • Combat ransomware and nation-state threats

Long-Term Security Implications

The consistent addition of vulnerabilities to the KEV catalog highlights:

  • The growing sophistication of cyber attackers
  • The critical need for automated patch management
  • The importance of threat intelligence sharing
  • The evolving nature of software supply chain risks

Organizations that fail to address these vulnerabilities within CISA's mandated timeframe face significantly increased risk of compromise, particularly from advanced persistent threat groups that actively monitor KEV catalog updates.