The US cybersecurity agency CISA on Tuesday added several flaws to its Known Exploited Vulnerabilities (KEV) catalog, including a .NET vulnerability patched last year.

The .NET vulnerability added to the agency’s KEV list is CVE-2024-29059, an information disclosure issue that can lead to unauthenticated remote code execution.

Microsoft patched the vulnerability in January 2024, and details and a proof-of-concept (PoC) exploit were made public a few weeks later. 

At least one cybersecurity firm added detections for CVE-2024-29059 exploitation attempts to its products last year, but there do not appear to be any public reports describing attacks that involve this vulnerability. 

Microsoft has yet to update its advisory to indicate that the vulnerability has been publicly disclosed and exploited, but the tech giant’s initial advisory does assign an exploitation assessment of ‘exploitation more likely’.

CISA also added two old Paessler PRTG Network Monitor vulnerabilities to the KEV catalog: CVE-2018-9276, an OS command injection issue, and CVE-2018-19410, a local file inclusion flaw. 

These vulnerabilities were patched in 2018 and their exploitation for arbitrary code/command execution requires admin privileges to the PRTG system administrator console. There do not appear to be any public reports describing exploitation of these security holes.

CISA has also added CVE-2024-45195, a remote code execution bug affecting Apache OFBiz, to its KEV catalog. This is not surprising, considering that CVE-2024-45195 is a variant of a flaw that has been known to be exploited since the summer of 2024. 

However, there still do not appear to be any public reports describing the attacks involving exploitation of CVE-2024-45195.

Related: CISA Warns of Old jQuery Vulnerability Linked to Chinese APT

Related: CISA Warns of Second BeyondTrust Vulnerability Exploited in Attacks

Related: CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks