Pierluigi Paganini March 03, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection Vulnerability
• CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
• CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
• CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
• CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability

Below are the descriptions for these flaws:

CVE-2023-20118 (CVSS score 6.5) – the vulnerability resides in Cisco Small Business Routers’ web interface and allows authenticated remote attackers to execute arbitrary commands due to improper input validation. Exploiting it requires admin credentials and grants root access. Cisco will not release a fix for this issue.

“Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device.” reads the advisory.

CVE-2018-8639 (CVSS score of 7.8) – an elevation of privilege vulnerability that impacts Windows when the Win32k component fails to properly handle objects in memory. An attacker could exploit the vulnerability to run arbitrary code in kernel mode, and then install programs; view, change, or delete data; or create new accounts with full user rights.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.” reads the advisory. “The update addresses this vulnerability by correcting how Win32k handles objects in memory.”

CVE-2024-4885 (CVSS score 9.8) – an unauthenticated Remote Code Execution vulnerability impacts Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.

The US Agency also added two Hitachi Vantara Pentaho BA Server flaws, respectively tracked as CVE-2022-43939 and CVE-2022-43769, to the catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 24, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)