The Cybersecurity and Infrastructure Security Agency has updated its Known Exploited Vulnerabilities catalog
to include three security flaws in Microsoft and one vulnerability in iOS amid ongoing active exploitation, BleepingComputer
Threat actors could leverage CVE-2023-21823 and CVE-2023-23376 to achieve remote code execution and privilege escalation on vulnerable Windows systems, respectively, while Microsoft Office macro policies could be evaded with the exploitation of CVE-2023-21715. All of the newly added Microsoft zero-day flaws in CISA's KEV catalog have been addressed as part of this month's Patch Tuesday.
CISA has also added an Apple WebKit type confusion flaw, tracked as CVE-2023-23529, which could be leveraged to enable arbitrary code execution. Apple has similarly issued fixes for the flaw, which affects Macs running macOS Ventura, iPhone 8 and later, and all iPad Pro models, earlier this week.
Inclusion of the vulnerabilities should prompt all federal agencies to implement patches until March 7. All organizations across the U.S. have also been strongly urged to apply the fixes.