CISA KEV Expansion: Exploit Guidance for Cisco, Kentico, and Zimbra
- [01] Immediate impact: Attackers are actively exploiting vulnerabilities in Cisco, Zimbra, and Kentico to gain unauthorized access and cause service disruptions.
- [02] Affected systems: Impacted platforms include Cisco ASA and FTD, Zimbra Collaboration, Kentico CMS, and Ivanti Endpoint Manager.
- [03] Remediation: Organizations must prioritize patching the eight newly added KEV vulnerabilities by the November deadlines specified by CISA.
Overview of the CISA KEV Catalog Expansion
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding eight distinct flaws that have been observed in active exploitation. According to SecurityWeek, this expansion highlights an ongoing trend where threat actors leverage both legacy vulnerabilities and recently disclosed Zero-Day bugs to compromise enterprise environments. The newly added vulnerabilities affect a wide range of technologies, including Cisco networking equipment, Zimbra collaboration suites, and Kentico content management systems.
When a CVE is added to the KEV catalog, it signifies that there is clear evidence of active exploitation, mandating that Federal Civilian Executive Branch (FCEB) agencies apply patches within a specific timeframe. However, the private sector and SOC teams worldwide should also treat these additions as high-priority intelligence for their vulnerability management programs.
Technical Analysis: Cisco ASA CVE-2024-20481
One of the most notable additions is CVE-2024-20481, which impacts the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerability allows an unauthenticated, remote attacker to cause a DDoS condition by exhausting available resources on the target device.
This specific TTP involves sending a high volume of malicious VPN connection requests. Because the exhaustion occurs before authentication is completed, even hardened environments are at risk if the VPN service is exposed to the public internet. While the CVSS score is 5.8, its inclusion in the KEV catalog demonstrates that attackers are successfully using this flaw to disrupt operations. For security administrators, Cisco ASA CVE-2024-20481 mitigation involves upgrading to the latest software releases and implementing rate-limiting on VPN connection attempts to prevent resource depletion.
Remote Code Execution in Zimbra and Kentico
Critical RCE vulnerabilities have also been targeted. CVE-2024-45519 affects Zimbra Collaboration software. The flaw resides in the postjournal service, where improper sanitization of user input allows attackers to execute arbitrary commands on the host system without authentication. This vulnerability is particularly dangerous as it can be leveraged for Lateral Movement or the deployment of Ransomware.
How to Detect CVE-2024-45519 Exploit
Defenders can identify potential exploitation attempts by monitoring logs for unusual activity within the postjournal process. Analysts should look for unauthorized shell executions or network connections originating from the Zimbra mail server to known C2 infrastructure. Integrating these IoC into a SIEM can provide real-time alerts when exploitation is attempted.
Additionally, CVE-2019-10068 in Kentico CMS, despite being discovered years ago, remains a viable vector for attackers. This insecure deserialization flaw allows for unauthenticated RCE. Organizations still utilizing legacy versions of the platform must follow Kentico CMS RCE patch guidance immediately to prevent full system compromise.
Other Noteworthy Additions
The update also includes CVE-2024-29847 in Ivanti Endpoint Manager (EPM). This deserialization vulnerability allows an unauthenticated attacker to achieve remote code execution with system-level privileges. Such flaws are often prized by an APT because they provide a foothold into the internal management network, facilitating broad Supply Chain Attack scenarios if the management server is used to push malicious updates to endpoints.
Other vulnerabilities added include CVE-2022-44877 in Control Web Panel, CVE-2017-10924 in Garmin Forge, and flaws in Dahua cameras (CVE-2021-33044 and CVE-2021-33045).
Recommendations and Mitigation Strategies
To defend against these active threats, organizations should adopt a Zero Trust approach to network architecture, ensuring that even internal management services like Ivanti EPM or Zimbra are not implicitly trusted.
- Immediate Patching: Prioritize the updates for Cisco ASA, Zimbra, and Ivanti EPM.
- Enhanced Monitoring: Deploy EDR solutions to detect suspicious child processes spawned by web services or VPN appliances.
- Exposure Management: Audit all internet-facing assets to ensure that management interfaces and legacy CMS installations are behind a VPN or protected by multi-factor authentication.
By following MITRE ATT&CK frameworks to map these vulnerabilities to known adversary behaviors, SOC teams can better anticipate and block exploitation attempts before they result in a significant data breach.
Advertisement