The Cybersecurity and Infrastructure Security Agency (CISA) has added two more security vulnerabilities to its catalog of exploited bugs today.

The first is a Microsoft Exchange elevation of privileges bug tracked as CVE-2022-41080 that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution.

Texas-based cloud computing provider Rackspace confirmed one week ago that the Play ransomware gang exploited it as a zero-day to bypass Microsoft's ProxyNotShell URL rewrite mitigations and escalate permissions on compromised Exchange servers.

The exploit used in the attack, dubbed OWASSRF by CrowdStrike security researchers who spotted it, was also shared online with some of Play ransomware's other malicious tools.

This will likely make it easier for other cybercriminals to create their own custom exploits or adapt Play ransomware's tool for their own purposes, adding to the urgency of updating the vulnerability as soon as possible.

Organizations with on-premises Microsoft Exchange servers are advised to deploy the latest Exchange security updates immediately (with November 2022 being the minimum patch level) or disable Outlook Web Access (OWA) until they can apply CVE-2022-41080 patches.

The second vulnerability CISA added to its Known Exploited Vulnerabilities (KEV) catalog is a privilege escalation zero-day (CVE-2023-21674) in the Windows Advanced Local Procedure Call (ALPC), tagged as being exploited in attacks and patched by Microsoft during this month's Patch Tuesday.

Federal agencies have to patch until the end of January

A BOD 22-01 binding operational directive issued by CISA in November 2021 requires all Federal Civilian Executive Branch Agencies (FCEB) agencies to secure their networks against bugs added to the KEV catalog.

Today, CISA gave FCEB agencies three weeks, until January 31st, to address the two security flaws and block potential attacks targeting their systems.

While this directive only applies to U.S. federal agencies, CISA also strongly urged all organizations to fix these vulnerabilities to thwart exploitation attempts.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned today.

The information contained in this website is for general information purposes only. The information is gathered from BleepingComputer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.