The Cybersecurity and Infrastructure Security Agency added a Microsoft Exchange Server flaw linked to the Play ransomware attack on Rackspace to its catalog of known exploited vulnerabilities Tuesday.
The escalation of privilege vulnerability, listed as CVE-2022-41080, was linked to the Dec. 2 ransomware attack that disrupted email access for thousands of Hosted Exchange customers at Rackspace.
CrowdStrike disclosed an attack method using CVE-2022-41080 and CVE-2022-41082 that achieves remote code execution via Outlook Web Access.
CrowdStrike researchers discovered the attack method while investigating prior attacks by Play ransomware, which had been observed engaging in attacks in Latin America. CISA did not disclose details about whether these specific attacks continued, but KEV attacks are usually added to the list based on current activity.
CISA also added CVE-2023-21674, which is a Microsoft Windows advanced local procedure call (ALPC) to its catalog. The escalation of privilege vulnerability happens when Windows improperly handles calls to ALPC, allowing an attacker to escalate privileges from sandboxed execution inside Chromium to kernel execution, according to researchers at Automox.
The Binding Operational Directive requires federal agencies to take steps to remediate the vulnerabilities by January 31.