The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
The vulnerabilities are:
- 2012-4792 vulnerability (CVSS Score: 9.3) – Microsoft Internet Explorer Use After Free Vulnerability
- CVE-2024-39891 (CVSS score: 5.3) – Twilio Authy Information Disclosure Vulnerability
CVE-2012-4792 is a decade-old use-after-free vulnerability in Internet Explorer that could allow remote attackers to execute arbitrary code via a specially crafted site.
It is not currently known whether there are any new attempts to exploit this vulnerability, but it was previously used as part of a watering hole attack against the websites of the Council on Foreign Relations (CFR) and Capstone Turbine Corporation in December 2012.
Meanwhile, CVE-2024-39891 refers to an information leakage bug in unauthenticated endpoints that could be exploited to “accept requests containing phone numbers and respond with information about whether the phone number is registered with Authy.”
Earlier this month, Twilio announced it had fixed the issue in versions 25.1.0 (Android) and 26.1.0 (iOS) after an unknown threat actor used the flaw to identify data associated with Authy accounts.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to federal agencies,” CISA said in its advisory.
Federal civil administration entities (FCEBs) have until August 13, 2024 to fix identified vulnerabilities to protect their networks against active threats.
