The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities in question are listed below –
- CVE-2017-3066 (CVSS score: 9.8) – A deserialization vulnerability impacting Adobe ColdFusion in the Apache BlazeDS library that allows for arbitrary code execution. (Fixed in April 2017)
- CVE-2024-20953 (CVSS score: 8.8) – A deserialization vulnerability impacting Oracle Agile PLM that allows a low-privileged attacker with network access via HTTP to compromise the system. (Fixed in January 2024)
There are currently no public reports referencing the exploitation of the vulnerabilities, although another flaw impacting Oracle Agile PLM (CVE-2024-21287, CVSS score: 7.5) came under active abuse late last year.
To mitigate the risks posed by potential attacks weaponizing these flaws, it’s recommended that users take steps to apply the necessary updates. Federal agencies have time until March 17, 2025, to secure their networks against the threats.
The development comes as threat intelligence firm GreyNoise revealed active exploitation attempts targeting CVE-2023-20198, a now-patched security flaw affecting vulnerable Cisco devices.
As many as 110 malicious IPs, mainly originating from Bulgaria, Brazil, and Singapore have been linked to the malicious activity.
“Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the United States — the same period when Salt Typhoon, a Chinese state-sponsored threat group, reportedly breached telecom networks using CVE-2023-20198 and CVE-2023-20273,” the GreyNoise Research Team said.
