"CISA: Hackers Exploit Critical Bitbucket Server Flaw in Attacks"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of vulnerabilities used in attacks, including a Bitbucket Server Remote Code Execution (RCE) flaw and two Microsoft Exchange zero-days. According to Microsoft, CISA's Known Exploited Vulnerabilities (KEV) catalog now includes two Microsoft Exchange zero-days, tracked as CVE-2022-41040 and CVE-2022-41082, which have been exploited in limited, targeted attacks. Although Microsoft has not yet released security updates to address these two actively exploited bugs, it has shared mitigation measures that require customers to add an IIS server blocking rule to prevent attack attempts. The third security flaw added to CISA's KEV list is a critical severity command injection vulnerability in Atlassian's Bitbucket Server and Data Center. By exploiting the flaw through malicious HTTP requests, attackers can gain RCE. However, they must have access to a public repository or read access to a private one. This RCE flaw affects all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0. Since at least September 20th, BinaryEdge and GreyNoise have confirmed that attackers have been scanning for and attempting to exploit this flaw in the wild. This article continues to discuss the Bitbucket Server RCE vulnerability and two Microsoft Exchange zero-days added to CISA's KEV catalog. 

Bleeping Computer reports "CISA: Hackers Exploit Critical Bitbucket Server Flaw in Attacks"