The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The first vulnerability, CVE-2023-20963, is an Android Framework Privilege Escalation Vulnerability that enables attackers to escalate their privileges after updating an app to a higher Target SDK with no additional execution privileges needed. Google acknowledged the vulnerability in its monthly Android Security Bulletin for March 2023, and it is believed to be under limited, targeted exploitation. The second vulnerability, CVE-2023-29492, is an insecure deserialization vulnerability in Novi Survey software that allows remote attackers to execute code on the server. The vulnerability was addressed by the provider on April 10, 2023, and it is currently not known how the flaw is being exploited. Federal Civilian Executive Branch (FCEB) agencies in the U.S. are advised to apply necessary patches by May 4, 2023, to counter the risks posed by these vulnerabilities.
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net
Source: The Hacker News