Vulnerability Management, Threat Management

Oracle, SugarCRM vulnerabilities added to CISA catalog

Ongoing active exploitation of two security vulnerabilities impacting Oracle's E-Business suite, tracked as CVE-2022-21587, and SugarCRM offerings, tracked as CVE-2023-22952, have prompted their inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog, reports The Record, a news site by cybersecurity firm Recorded Future. Federal civilian agencies have been urged to address both flaws before Feb. 23. Patches for the critical Oracle flaw have already been released in October, establishing the need for urgent patching of vulnerable instances. On the other hand, threat actors have already leveraged an exploit for the SugarCRM vulnerability in cryptomining malware deployment, according to a security expert. However, SugarCRM did note that none of its Sugar Sell, Enterprise, Serve, Professional, and Ultimate software solutions have been impacted by attacks. Both flaws represent widely varying market segments and the ever-expanding reach of cybercriminals and nation-state actors, said Netenrich Principal Threat Hunter John Bambenek. "This highlights that all market segments attract APT and nation-state risks that should enforce the need to make sure updates are applied as quickly as they come out," Bambenek added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.