Pierluigi Paganini February 05, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft .NET Framework, Apache OFBiz, and Paessler PRTG Network Monitor flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-45195 (CVSS score of 9.8) Apache OFBiz Forced Browsing Vulnerability
• CVE-2024-29059 (CVSS score of 7.5) Microsoft .NET Framework Information Disclosure Vulnerability
• CVE-2018-9276 (CVSS score of 7.2) Paessler PRTG Network Monitor OS Command Injection Vulnerability
• CVE-2018-19410 (CVSS score of 9.8) Paessler PRTG Network Monitor Local File Inclusion Vulnerability

In September 2024, Apache fixed a high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5) affecting the Apache OFBiz open-source enterprise resource planning (ERP) system.

Apache OFBiz® is an open source product for the automation of enterprise processes that includes framework components and business applications.

The vulnerability is a Direct Request (‘Forced Browsing’) issue in Apache OFBiz. This flaw affects all versions of the software before 18.12.16.

The vulnerability allowed authenticated threat actors to execute code or SQL queries, leading to remote code execution. The latest patch addresses this by ensuring that anonymous access is only permitted if the user is unauthenticated, rather than relying solely on authorization checks based on the target controller.

The second flaw, tracked as CVE-2024-29059, is .NET Framework information disclosure vulnerability.

The third issue, tracked as CVE-2018-9276, is an OS command injection flaw that impacts PRTG Network Monitor before 18.2.39. An attacker with admin access could exploit the flaw by sending malformed parameters in sensor or notification management scenarios.

The last issue, tracked as CVE-2018-19410, impacts PRTG Network Monitor before 18.2.40.1683. It allows remote unauthenticated attackers to create admin users via a Local File Inclusion attack on /public/login.htm.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 25, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog)