The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical SonicWall and Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming that both sets of flaws are under active exploitation and demanding immediate remediation.

The additions, reported by Security Affairs on 15 July, include multiple high-severity SonicWall SMA appliance flaws and a Microsoft Windows privilege escalation vulnerability that attackers are already leveraging in real-world campaigns.

What Was Added

According to Security Affairs reporting, the newly cataloged vulnerabilities encompass a cluster of issues affecting SonicWall's Secure Mobile Access (SMA) appliances. These include CVE-2024-21887, a command injection flaw; CVE-2024-21893, a server-side request forgery (SSRF) vulnerability; and a context-specific instance of the infamous Log4Shell flaw (CVE-2021-44228). The Log4Shell vulnerability, first disclosed in 2021, continues to surface in new attack scenarios.

On the Microsoft side, CVE-2024-30088, an elevation of privilege vulnerability in Windows systems, has been added. This flaw was originally addressed in Microsoft's June 2024 Patch Tuesday cycle.

Why This Matters

Listing a vulnerability in CISA's KEV catalog carries significant weight. For U.S. Federal Civilian Executive Branch (FCEB) agencies, it triggers a binding remediation mandate under Binding Operational Directive 22-01. The deadline for these specific flaws has already passed, meaning non-compliant agencies face potential enforcement actions.

For the private sector globally, the KEV catalog serves as a critical prioritization benchmark. It shifts focus from theoretical severity scores, like CVSS, to data-driven, real-world exploitation evidence. The continued use of Log4Shell in SonicWall attacks highlights the "long tail" of vulnerability risk—flaws can resurface and remain dangerous years after their initial disclosure, demanding persistent vigilance.

The SonicWall Context

SonicWall confirmed the active exploitation of two zero-day vulnerabilities in its products. The SMA platform is widely deployed as a remote access solution, making it a prime target for attackers seeking initial network access.

The combination of command injection and SSRF capabilities provides attackers a powerful toolkit. Command injection allows adversaries to execute arbitrary code on appliances, while SSRF can be used to pivot into internal network resources. When chained, these flaws can enable rapid lateral movement and data exfiltration.

What Organizations Should Do

For SonicWall SMA 100 or 1000 series appliances, applying all available vendor patches is the primary recommendation. Where immediate patching isn't possible, strict network segmentation and disabling non-essential management interfaces can serve as interim measures.

For Microsoft Windows environments, ensuring the full deployment of the June 2024 Patch Tuesday updates eliminates the CVE-2024-30088 risk.

The overarching lesson is that effective vulnerability management must be driven by active exploitation data. Flaws that appear dormant can reappear in campaigns, as the Log4Shell recurrence demonstrates.

Global Relevance

While CISA's directives apply only to U.S. federal agencies, the KEV catalog is increasingly treated as a global benchmark by security teams and managed service providers. Organizations worldwide that operate SonicWall or Microsoft Windows infrastructure should consider these cataloged vulnerabilities in their own risk assessments and patching priorities.


美國網絡安全和基礎設施安全局(CISA)已將多個關鍵的 SonicWall 及 Microsoft 漏洞納入其「已知被積極利用漏洞」(KEV)目錄,確認上述漏洞正遭積極利用,並要求立即進行補救。

據 Security Affairs 於 7 月 15 日報導,此次新增的漏洞包括多個高嚴重性的 SonicWall SMA 設備漏洞,以及攻擊者已於實際攻擊行動中利用的 Microsoft Windows 權限提升漏洞。

新增內容

根據 Security Affairs 報導,新納入目錄的漏洞涵蓋一系列影響 SonicWall 安全流動存取(SMA)設備的問題。其中包括命令注入漏洞 CVE-2024-21887、伺服器端請求偽造(SSRF)漏洞 CVE-2024-21893,以及臭名昭著的 Log4Shell 漏洞(CVE-2021-44228)的一個特定實例。Log4Shell 漏洞於 2021 年首次披露,至今仍持續出現在新的攻擊場景中。

在 Microsoft 方面,CVE-2024-30088——一個 Windows 系統的權限提升漏洞——已被納入目錄。該漏洞最初已於 Microsoft 2024 年 6 月的「修補程式星期二」更新週期中處理。

為何重要

漏洞被列入 CISA 的 KEV 目錄具有重大意義。對美國聯邦民事行政部門(FCEB)機構而言,這觸發了《強制性營運指令 22-01》下的強制補救要求。這些特定漏洞的補救期限已過,意味著不合規的機構可能面臨強制執法行動。

對全球私營部門而言,KEV 目錄是關鍵的優先級排序基準。它將焦點從理論性的嚴重性評分(如 CVSS)轉向以數據為基礎、基於實際被利用證據的評估。Log4Shell 在 SonicWall 攻擊中持續被利用,凸顯了漏洞風險的「長尾效應」——漏洞可能在初次披露多年後重新出現並持續構成威脅,需要持續保持警惕。

SonicWall 相關背景

SonicWall 證實其產品中有兩個零日漏洞正遭積極利用。SMA 平台作為遠端存取解決方案被廣泛部署,使其成為攻擊者尋求初步網絡存取的首要目標。

命令注入與 SSRF 能力的結合為攻擊者提供了強大的工具包。命令注入允許攻擊者在設備上執行任意代碼,而 SSRF 可用於轉向內部網絡資源。當這些漏洞被串連利用時,可能導致快速的橫向移動和數據外洩。

機構應採取的措施

對於 SonicWall SMA 100 或 1000 系列設備,首要建議是套用所有可用的供應商補丁。若無法立即修補,嚴格的網絡分段和禁用非必要的管理界面可作為臨時措施。

對於 Microsoft Windows 環境,確保完整部署 2024 年 6 月的「修補程式星期二」更新即可消除 CVE-2024-30088 的風險。

總體而言,有效的漏洞管理必須以積極利用的數據為驅動力。正如 Log4Shell 再次出現所示,看似休眠的漏洞可能在攻擊行動中重新浮現。

全球相關性

雖然 CISA 的指令僅適用於美國聯邦機構,但安全團隊和託管服務供應商日益將 KEV 目錄視為全球基準。全球所有運營 SonicWall 或 Microsoft Windows 基礎設施的機構,在自身的風險評估和修補優先級設定時,應考慮這些已列入目錄的漏洞。

新聞來源 / Original News Source