U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Draytek VigorConnect and Kingsoft WPS Office bugs to its Known Exploited Vulnerabilities catalog.——————————————————————————————————————————————————————-The U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](https://www.cisa.gov/news-events/alerts/2024/09/03/cisa-adds-three-known-exploited-vulnerabilities-catalog) Draytek VigorConnect and Kingsoft WPS Office vulnerabilities to its [Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).Below are the descriptions for these vulnerabilities:* [CVE-2021-20123](https://www.cve.org/CVERecord?id=CVE-2021-20123) Draytek VigorConnect Path Traversal Vulnerability: A local file inclusion issue in Draytek VigorConnect 1.6.0-B3 allows unauthenticated attackers to exploit the file download functionality of the DownloadFileServlet endpoint. This flaw enables attackers to download arbitrary files from the underlying operating system with root privileges, posing a significant security risk.* [CVE-2021-20124](https://www.cve.org/CVERecord?id=CVE-2021-20124) Draytek VigorConnect Path Traversal Vulnerability: A local file inclusion vulnerability in Draytek VigorConnect 1.6.0-B3 affects the WebServlet endpoint’s file download functionality. This flaw allows unauthenticated attackers to download arbitrary files from the underlying operating system with root privileges, posing a serious security threat.* [CVE-2024-7262](https://www.cve.org/CVERecord?id=CVE-2024-7262) Kingsoft WPS Office Path Traversal Vulnerability: An improper path validation vulnerability in Kingsoft WPS Office (versions 12.2.0.13110 to 12.2.0.16412) allows attackers to load arbitrary Windows libraries via the promecefpluginhost.exe. This flaw has been weaponized in a single-click exploit, delivered through a deceptive spreadsheet document.At the end of August, Eset researchers [**reported**](https://securityaffairs.com/167825/hacking/apt-c-60-wps-office-zero-day.html) that South Korea-linked group APT-C-60 exploited a zero-day, tracked as CVE – 2024 – 7262, in the Windows version of WPS Office to deploy the SpyGlace backdoor in the systems on targets in East Asia.WPS Office is a comprehensive office productivity suite developed by Chinese software company Kingsoft and is widely used in Asia. It provides users with a range of tools for creating, editing, and managing documents, spreadsheets, presentations, and PDFs.According to the [WPS website](https://www.wps.com/office/windows/), WPS Office has over 500 million active users worldwide.According to [Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](https://cyber.dhs.gov/bod/22-01/), FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.Experts also recommend private organizations review the [Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and address the vulnerabilities in their infrastructure.CISA orders federal agencies to fix this vulnerability by September 24, 2024.[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, [CISA](https://securityaffairs.com/167414/hacking/u-s-cisa-dahua-ip-camera-linux-kernel-microsoft-exchange-server-bugs-its-known-exploited-vulnerabilities-catalog.html))**
Related Tags:
CVE-2021-20123
CVE-2024-7262
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 335 – Electrical Equipment
Appliance
Component Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
NAICS: 33 – Manufacturing – Metal
Electronics And Other
Associated Indicators: