The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The security vulnerabilities are as follows –

  • CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX-21 Command Injection Vulnerability
  • CVE-2021-45046 (CVSS score: 9.0) – Apache Log4j2 Deserialization of Untrusted Data Vulnerability
  • CVE-2023-21839 (CVSS score: 7.5) – Oracle WebLogic Server Unspecified Vulnerability

CVE-2023-1389 concerns a case of command injection affecting TP-Link Archer AX-21 routers that could be exploited to achieve remote code execution. According to Trend Micro’s Zero Day Initiative, the flaw has been put to use by threat actors associated with the Mirai botnet since April 11, 2023.

The second flaw to be added to the KEV catalog is CVE-2021-45046, a remote code execution affecting the Apache Log4j2 logging library that came to light in December 2021.

It’s currently not clear how this specific vulnerability is being abused in the wild, although data gathered by GreyNoise shows evidence of exploitation attempts from as many as 74 unique IP addresses over the past 30 days. This, however, also includes CVE-2021-44228 (aka Log4Shell).

Completing the list is a high-severity bug in Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 that could allow unauthorized access to sensitive data. It was patched by the company as part of updates released in January 2023.

“Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server,” CISA said.

While there exists proof-of-concept (PoC) exploits for the flaw, there do not appear to be any public reports of malicious exploitation.

Federal Civilian Executive Branch (FCEB) agencies are required to apply vendor-provided fixes by May 22, 2023, to secure their networks against these active threats.

The advisory also comes a little over a month after VulnCheck revealed that nearly four dozen security flaws that have likely been weaponized in the wild in 2022 are missing from the KEV catalog.

Of the 42 vulnerabilities, an overwhelming majority are related to exploitation by Mirai-like botnets (27), followed by ransomware gangs (6) and other threat actors (9).