Today, CISA and FBI are releasing their newest Secure by Design Alert in the series, Eliminating OS Command Injection Vulnerabilities, in response to recent well-publicized threat actor campaigns that exploited OS command injection defects in network edge devices (CVE-2024-20399, CVE-2024-3400, CVE-2024-21887) to target and compromise users. These vulnerabilities allowed unauthenticated malicious actors to remotely execute code on network edge devices.
OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command. Despite this finding, OS command injection vulnerabilities—many of which result from CWE-78—are still a prevalent class of vulnerability.
CISA and FBI urge CEOs and other business leaders at technology manufacturers to request their technical leaders analyze past occurrences of this class of defect and develop a plan to eliminate them in the future. For more on how to champion Secure by Design principles, visit our webpage. To join with the 150+ other companies who have signed our Secure by Design pledge, visit here.
Systems Affected Any system running Microsoft Windows (Windows 95 and newer) that are used…
Systems Affected Microsoft Windows systems running Internet Explorer 5.01 Internet Explorer 5.50 Internet Explorer…
Systems Affected Check Point Firewall-1 NG FCS Check Point Firewall-1 NG FP1 Check Point…
Systems Affected Systems running Microsoft Windows Overview Microsoft Windows contains multiple vulnerabilities,…
Systems Affected Systems running Microsoft Office XP and Outlook 2002 Overview There…
Systems Affected Applications and systems that use the OpenSSL SSL/TLS library Overview …
This website uses cookies.