Advertise with Us
CybersecurityUpdate

CISA Adds Acclaim USAHERDS Vulnerability to Vulnerabilities Catalog

CISA has added a vulnerability impacting the Acclaim USAHERDS web application to its list of Known Exploited Vulnerabilities Catalog....
CISA Adds Acclaim USAHERDS Vulnerability to Vulnerabilities Catalog
Written by Matt Milano
Saturday, December 28, 2024

CISA has added a vulnerability impacting the Acclaim USAHERDS web application to its list of Known Exploited Vulnerabilities Catalog.

According to a report from security Mandiant, the issue stems from the application using static key values.

The Acclaim USAHERDS web application 7.4.0.1 and Earlier, builds prior to November 2021, used static ValidationKey and DecryptionKey values.

Mandiant says the exploitability is low, given that the key “values would need to be obtained via a separate vulnerability or other channel.” Nonetheless, if the key values are discovered, a bad actor could use them to execute code on the compromised server.

These keys are used to provide security for the application ViewState. A threat actor with knowledge of these keys can trick the application server into deserializing maliciously crafted ViewState data. A threat actor with knowledge of the validationKey and decryptionKey for a web application can construct a malicious ViewState that passes the MAC check and will be deserialized by the server. This deserialization can result in the execution of code on the server.

Despite its low exploitability, CISA says the vulnerability is being actively exploited, leading to its inclusion in the Catalog.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Organizations should apply the necessary patches and mitigations as soon as possible.

Subscribe for Updates

CybersecurityUpdate Newsletter

News & updates related to cyber security software, alerts, strategies & businesses.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.
Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us
About Us

WebProNews is a leading publisher of business and technology email newsletters and websites.

Reach our audience
Publication Categories
WebProNews is an iEntry Publication
©2024 iEntry, Inc. All rights reserved. Privacy Policy | Legal | Contact Us |