CISA KEV Update: Five Actively Exploited CVEs in Apple, Hikvision, Rockwell

CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog, adding five new CVEs that are under active exploitation. This advisory, initially released by CISA, underscores the immediate threat these vulnerabilities pose to federal agencies and private sector organizations alike. The inclusion in the KEV Catalog signifies that these flaws are not merely theoretical but are actively being leveraged by malicious cyber actors as frequent attack vectors.

CISA’s Binding Operational Directive (BOD) 22-01 mandates Federal Civilian Executive Branch (FCEB) agencies to remediate KEVs by specified due dates. While this directive specifically targets federal entities, CISA consistently urges all organizations globally to prioritize the remediation of these identified vulnerabilities. Neglecting these known exploited flaws dramatically increases an organization’s attack surface and overall risk profile.

Technical Analysis of Actively Exploited CVEs

The five vulnerabilities recently added to the CISA KEV Catalog span a range of product types and vulnerability classes, indicating a diverse set of targets and exploitation methods. Understanding the specifics of each is crucial for effective defense.

Hikvision Improper Authentication: CVE-2017-7921

This vulnerability, affecting multiple Hikvision products, involves improper authentication. Such flaws can allow unauthenticated attackers to bypass security mechanisms, potentially gaining unauthorized access to devices or sensitive data. Organizations utilizing Hikvision surveillance or IoT devices should be particularly vigilant. This vulnerability highlights the ongoing risk associated with IoT device security and the necessity of robust authentication processes. Effective mitigation strategies for Hikvision improper authentication CVE-2017-7921 exploitation involve updating firmware and reviewing access controls.

Rockwell Insufficient Protected Credentials: CVE-2021-22681

Rockwell Automation multiple products are affected by an insufficient protected credentials vulnerability. This type of flaw typically means that credentials (like passwords or API keys) are stored or transmitted in a way that makes them vulnerable to compromise, potentially leading to unauthorized access or Privilege Escalation within industrial control systems (ICS) or operational technology (OT) environments. For those concerned about Rockwell protected credentials vulnerability CVE-2021-22681, applying vendor patches and implementing strong credential management policies are paramount.

Apple Integer Overflow or Wraparound: CVE-2021-30952

Affecting multiple Apple products, this integer overflow or wraparound vulnerability could lead to arbitrary code execution, often categorized as RCE, or unexpected application behavior. These vulnerabilities frequently arise from improper handling of large numerical values in memory operations.

Apple iOS and iPadOS Use-After-Free: CVE-2023-41974

A use-after-free vulnerability in Apple iOS and iPadOS could allow attackers to execute arbitrary code with kernel privileges. This class of vulnerability is particularly dangerous as it can lead to complete device compromise, often utilized in sophisticated targeted attacks. Organizations must address Apple iOS/iPadOS use-after-free CVE-2023-41974 mitigation by immediately applying available security updates to all affected mobile devices.

Apple Use-After-Free in Multiple Products: CVE-2023-43000

Similar to CVE-2023-41974, this is another use-after-free vulnerability impacting multiple Apple products. The repeated appearance of use-after-free flaws in Apple’s ecosystem suggests a persistent attack surface that threat actors are actively exploiting. These vulnerabilities underscore the need for continuous vigilance and prompt patching across all Apple devices.

Actionable Recommendations for Defenders

Given the active exploitation of these vulnerabilities, immediate and decisive action is required to secure enterprise environments.

• Prioritize Patching: The most critical step is to apply vendor-released patches for all identified vulnerabilities immediately. This includes firmware updates for Hikvision devices, security updates for Rockwell products, and the latest iOS/iPadOS versions for Apple devices.
• Vulnerability Management:
  • Integrate the CISA KEV Catalog into your organization’s daily vulnerability management practices.
  • Regularly scan your networks and endpoints for the presence of these and other known exploited vulnerabilities.
  • Establish clear metrics and deadlines for remediation, mirroring the urgency applied to federal agencies.
• Enhance Monitoring and Detection:
  • Deploy and configure EDR solutions and SIEM systems to detect suspicious activity potentially indicative of exploitation attempts.
  • Monitor for unusual network traffic, unauthorized access attempts, or deviations from baseline behavior on affected systems.
  • Implement robust logging mechanisms on all critical infrastructure components.
• Implement Zero Trust Principles: Adopt a Zero Trust architecture to limit the impact of successful exploitation. This includes micro-segmentation, least privilege access, and continuous verification of users and devices.
• Educate and Train: Ensure IT and security teams are aware of these threats and prepared to respond swiftly to any indicators of compromise. Regular security awareness training for all employees can also help mitigate risks associated with social engineering vectors that might precede exploitation.