U.S. CISA adds Microsoft Windows MSHTML Platform and Progress WhatsUp Gold bugs to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini September 17, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows MSHTML Platform and Progress WhatsUp Gold bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  SonicWall SonicOS, ImageMagick and Linux Kernel vulnerabilities to its .

Below are the descriptions for these vulnerabilities:

  •  Microsoft Windows MSHTML Platform Spoofing Vulnerability
  •  Progress WhatsUp Gold SQL Injection Vulnerability

CVE-2024-43461 – Microsoft this week warned that attackers actively exploited the Windows vulnerability CVE-2024-43461 as a zero-day before July 2024.

The vulnerability  is a Windows MSHTML platform spoofing issue. MSHTML is a platform used by Internet Explorer. Although the browser has been retired, MSHTML remains in Windows and is still used by certain applications.

The ZDI Threat Hunting team discovered a new exploit similar to a previously patched July vulnerability tracked as .

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the  published by ZDI. “The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user.”

Despite reporting it to Microsoft in June, threat actors quickly devised a method to bypass the patch. Though actively used, Microsoft hasn’t labeled it as under attack. The flaw impacts all supported Windows versions.

“Yes. CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024.” reads the  published by Microsoft. “We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain. See [CVE-2024-38112 – Security Update Guide – Microsoft – Windows MSHTML Platform Spoofing Vulnerability[(https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112). Customers should both the July 2024 and September 2024 security update to fully protect themselves.”

Patch Tuesday security updates for September 2024 addressed the CVE-2024-43461 vulnerability.

The vulnerability in WhatsUp Gold is an SQL Injection authentication bypass issue.

An unauthenticated attacker could trigger this vulnerability to retrieve the users encrypted password. The flaw impacts WhatsUp Gold versions released before 2024.0.0.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by October 7, 2024.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, CISA)



you might also like

leave a comment