CISA adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini February 16, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  the following two vulnerabilities to its :

  •  Cisco ASA and FTD Information Disclosure Vulnerability
  •  Microsoft Exchange Server Privilege Escalation Vulnerability

The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.

The vulnerability CVE-2024-21410 is a bypass vulnerability that can be exploited by an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.” reads the published by Microsoft.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by March 7, 2024.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)



you might also like

leave a comment