CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, citing active exploitation. The vulnerabilities include CVE-2026-20245, a critical flaw in Cisco Catalyst SD-WAN Manager with a CVSS score of 7.8, which involves improper encoding or escaping of output. Also added was CVE-2024-4577, a critical vulnerability affecting the Apache HTTP Server, specifically its CGI script processing, which could allow for remote code execution. The third vulnerability, CVE-2024-5274, impacts Google Chrome's V8 JavaScript engine, enabling arbitrary code execution. CISA mandates that federal civilian executive branch agencies must apply security patches for these vulnerabilities by May 21, 2024, to mitigate risks associated with their active exploitation. The inclusion of these flaws underscores the ongoing threat posed by unpatched software and the importance of timely security updates.
Original source — read the full reporting at the publisher:
Read on The Hacker News