CISA Adds Critical Vulnerabilities to the Known Exploited Vulnerabilities Catalog

By /

Listen to this Post

:
In the ever-evolving world of cybersecurity, timely updates and security patches are crucial in mitigating the risks posed by vulnerabilities. Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added several significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing their potential for exploitation in high-profile platforms and tools. These vulnerabilities, affecting both Sitecore CMS and GitHub actions, highlight the importance of proactive cybersecurity measures to protect critical infrastructures from malicious attacks.

the Vulnerabilities:

1. CVE-2019-9875 (Sitecore CMS)

– Severity: CVSS score of 8.8

  • Description: This vulnerability, present in the anti-CSRF module of Sitecore CMS versions up to 9.1, allows an authenticated attacker to execute arbitrary code. The flaw arises due to deserialization of untrusted data, with the attacker exploiting it by sending a serialized .NET object through an HTTP POST parameter.

2. CVE-2019-9874 (Sitecore CMS)

– Severity: CVSS score of 9.8

  • Description: A more severe deserialization vulnerability found in Sitecore CMS 7.0 to 7.2 and XP 7.5 to 8.2, which allows unauthenticated attackers to execute arbitrary code. This is facilitated through a malicious __CSRFTOKEN parameter in HTTP POST requests.

3. CVE-2025-30154 (GitHub Action Vulnerability)

– Severity: CVSS score of 8.6

  • Description: A compromise of the GitHub action reviewdog/action-setup@v1 on March 11, 2025, exposed sensitive data in workflow logs. This vulnerability is part of a wider supply chain attack that also impacted other reviewdog actions and repositories. The incident was linked to the tj-actions/changed-files GitHub action, which led to repositories leaking sensitive secrets over the weekend.

What Undercode Says:

The inclusion of these vulnerabilities in the KEV catalog by CISA is a crucial step in urging both government agencies and private organizations to take immediate action to patch these flaws. As organizations increasingly rely on web-based platforms like Sitecore CMS for content management and GitHub for development workflows, the security risks associated with these platforms become more prominent. Vulnerabilities like those identified in Sitecore CMS versions 7.0-9.1 could allow malicious actors to take complete control of affected systems, posing a significant threat to organizations relying on these systems for day-to-day operations.

Sitecore’s deserialization vulnerabilities are particularly dangerous due to their ability to bypass standard security mechanisms, making them an attractive target for attackers. Similarly, the GitHub action vulnerability underscores the growing importance of securing the software supply chain. The fact that this vulnerability led to the leak of sensitive data highlights the need for stricter security measures in CI/CD pipelines, where sensitive secrets are often stored and processed.

The rapid identification of these vulnerabilities by Wiz Research and their subsequent addition to the CISA catalog speaks volumes about the increasing sophistication of cybersecurity threats. Organizations are advised to adhere to CISA’s deadlines to patch these vulnerabilities—April 14, 2025, for the GitHub action vulnerability and April 16, 2025, for the Sitecore CMS flaw. By failing to do so, agencies and private companies risk leaving their systems exposed to serious attacks.

Additionally, the focus on these two major vulnerabilities brings attention to the broader issue of secure software development practices. Whether it’s deserialization flaws in a content management system or compromised CI/CD pipelines, the risks are real and demand urgent attention. The security of software development, particularly in open-source and third-party integrations, must be prioritized as part of a comprehensive cybersecurity strategy.

Fact Checker Results:

  • Sitecore CMS Vulnerabilities: Confirmed and consistent with previous reports from multiple security sources, emphasizing the high risk of deserialization flaws.
  • GitHub Action Compromise: Verified by Wiz Research and corroborated by multiple independent cybersecurity firms.
  • CISA’s Deadline for Patches: Accurate, as per CISA’s Binding Operational Directive (BOD) 22-01.

References:

Reported By: https://securityaffairs.com/175915/security/u-s-cisa-adds-sitecore-cms-and-xp-and-github-action-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: