CISA added the critical flaw, CVE-2024-12356, to its catalog of Known Exploited Vulnerabilities (KEV) on December 19, an action that indicated the agency had knowledge of an exploit in the wild. This has led some to believe that it may have been a bug that was used in the attack that resulted in the damage to the US Treasury Department’s facilities.
The second error is also exploited in the field
However, on Monday, CISA added a second medium vulnerability, CVE-2024-12686, to KEV as well. It is not clear whether this was used as part of the same attack or a new one after the BeyondTrust disclosure. As per the CISA mandate, federal agencies have until February 3rd to determine if they have any at-risk referrals and ensure that the patches are implemented.
Last week, in a review of its investigation into the Ministry of Finance breach, CISA said it had no indications that other government agencies were involved in the attack.
Source link