The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include critical zero-day flaws impacting the Microsoft Partner Center website and Synacor Zimbra Collaboration Suite, according to SC Media.
Attacks leveraging the Microsoft Partner Center site's improper access control flaw, tracked as CVE-2024-49035, could facilitate escalated privileges without authentication, noted Microsoft, which initially reported its active exploitation in November.
On the other hand, the Synacor ZCS cross-site scripting (XSS) issue, tracked as CVE-2023-37580, was reported to have been used in attacks involving a malicious script since November 2023.
CISA urged organizations to remediate the newly-added security bugs, and also assess Palo Alto Networks' recent alert detailing attacks involving the exploitation of the PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 as part of the Operation Lunar Peek campaign that has been under way since November, when both flaws had also been added to the KEV catalog.
