The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence.

The vulnerabilities newly added are below –

  • CVE-2023-42793 (CVSS score: 9.8) – JetBrains TeamCity Authentication Bypass Vulnerability
  • CVE-2023-28229 (CVSS score: 7.0) – Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability

CVE-2023-42793 relates to a critical authentication bypass vulnerability that allows for remote code execution on TeamCity Server. Data gathered by GreyNoise has revealed exploitation attempts targeting the flaw from 74 unique IP addresses to date.

On the other hand, CVE-2023-28229 is a high-severity flaw in the Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service that allows an attacker to gain specific limited SYSTEM privileges.

There are currently no public reports documenting in-the-wild exploitation of the bug, and CISA has not disclosed any further details about the attacks or exploitation scenarios. A proof-of-concept (PoC) was made available early last month.

Microsoft, for its part, tagged CVE-2023-28229 with an “Exploitation Less Likely” assessment. It was patched by the tech giant as part of Patch Tuesday updates released in April 2023.

The cybersecurity agency has also removed five flaws affecting Owl Labs Meeting Owl from the KEV catalog, citing “insufficient evidence.”

While CVE-2022-31460 was added in June 2022, four other vulnerabilities (CVE-2022-31459, CVE-2022-31461, CVE-2022-31462, and CVE-2022-31463) were added on September 18, 2023.

In light of the active exploitation of the two flaws, Federal Civilian Executive Branch (FCEB) agencies are required to apply the vendor-provided patches by October 25, 2023, to secure their networks against potential threats.