We have been made aware of active exploitation of severe security vulnerabilities in TP-Link, Apache, and Oracle systems. It is imperative that immediate action is taken to safeguard your systems from these perilous threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified three major security vulnerabilities that are currently being actively exploited. These vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog.

CVE-2023-1389 (CVSS score: 8.8) is a TP-Link Archer AX-21 Command Injection Vulnerability which, if exploited, could allow for remote code execution. According to Trend Micro’s Zero Day Initiative, this flaw has been used by the Mirai botnet since April 11, 2023.

CVE-2021-45046 (CVSS score: 9.0) is an Apache Log4j2 Deserialization of Untrusted Data Vulnerability, while CVE-2023-21839 (CVSS score: 7.5) is an Oracle WebLogic Server Unspecified Vulnerability.

CISA is urging all users to update their systems to mitigate the risk of exploitation.

The KEV catalog has just added another vulnerability to its list – CVE-2021-45046. This is a remote code execution vulnerability that affects the Apache Log4j2 logging library and was discovered in December 2021. Data gathered by GreyNoise shows evidence of exploitation attempts from as many as 74 unique IP addresses in the past 30 days, although it’s not clear how this vulnerability is being abused.

Rounding out the list is a high-severity bug in Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 that could allow unauthorized access to sensitive data. Oracle released updates to address this vulnerability in January 2023. As the Cybersecurity and Infrastructure Security Agency (CISA) warned, “Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server”.

With proof-of-concept (PoC) exploits for the flaw already available, malicious exploitation of the vulnerability has yet to be reported. However, the US Federal Civilian Executive Branch (FCEB) agencies are encouraged to take action and apply vendor-provided fixes by May 22, 2023, to protect their networks. This advisory follows the recent VulnCheck report, which revealed that nearly four dozen security flaws that have been likely weaponized in the wild in 2022 are missing from the KEV catalog. Of the 42 vulnerabilities, 27 are related to exploitation by Mirai-like botnets, 6 by ransomware gangs, and 9 by other threat actors.