Weekly Vulnerabilities Review (June 7 – June 14)
Weekly Vulnerabilities Review (June 7 – June 14)

Let’s take a look at a brief overview of new cybersecurity solutions from last week. In the spotlight: VMware, SAP, Microsoft, Adobe, Fortinet, Progress Software, FortiGate, Honda.

On Wednesday, VMware, a leader in virtualization technology, urgently issued patches to address security weaknesses in its Aria Operations for Networks product. These vulnerabilities could potentially allow businesses to fall victim to remote code execution attacks. The company published an advisory acknowledging three critical vulnerabilities in the network and application monitoring tool, highlighting a command injection issue (CVE-2023-20887) that holds a CVSSv3 base score of 9.8/10.

On its June 2023 Security Patch Day, SAP unveiled eight new security notes on Tuesday, with two of these addressing high-severity vulnerabilities. In addition, five existing notes were updated. A significant XSS issue in UI5 Variant Management was fixed by one of SAP’s most critical new security notes.

Microsoft’s security team introduced a comprehensive set of software patches on Tuesday to close significant security vulnerabilities in its Windows operating system and software components. The tech giant’s monthly Patch Tuesday updates rectify at least 70 known vulnerabilities across the Windows platform, among which six are deemed critical and could subject users to severe code execution attacks.

On the same day, Adobe, a significant player in software from Silicon Valley, rolled out patches for serious flaws across various products. These included twelve vulnerabilities that could put Adobe Commerce users at risk of code execution attacks. Through its regular Patch Tuesday updates, Adobe addressed at least 12 security vulnerabilities in the widely used Adobe Commerce (formerly Magento) product, warning that successful exploitation may result in arbitrary code execution, security feature bypass, and arbitrary file system read.

On Monday, Fortinet issued a warning to its customers that the vulnerability recently patched, known as CVE-2023-27997, might be a zero-day flaw already used in limited attacks. Over the weekend, it was revealed that Fortinet had released updates for its FortiOS operating system to patch CVE-2023-27997, a severe vulnerability that could be exploited by a remote, unauthenticated attacker to execute arbitrary code.

Progress Software announced another series of patches for its MOVEit products following the discovery of new vulnerabilities during the analysis of a recent zero-day exploit. The announcement coincided with additional organizations revealing they were impacted by the zero-day attack.

A critical FortiGate vulnerability that could potentially be exploited by an unauthenticated attacker for remote code execution was patched by Fortinet, as per the researchers who disclosed the flaw to the company. The vulnerability, known as CVE-2023-27997, was identified by researchers at the French IT security firm Lexfo.

Lastly, a researcher revealed details of severe vulnerabilities found in a Honda ecommerce platform used for equipment sales. If exploited, these flaws could allow an attacker to access both customer and dealer information. The security issues and data exposure were discovered earlier this year by US-based researcher Eaton Zveare, who informed Honda of his findings in mid-March.