CISA, the US Cybersecurity and Infrastructure Security Agency, has expanded its list of known exploited Vulnerabilities (KEV) to include various Linux-related flaws.

The agency added seven new vulnerabilities to the KEV catalog. These vulnerabilities include Ruckus AP Remote Code Execution (CVE-2023-25717), Red Hat Polkit privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).

Recently, a DDoS botnet named AndoryuBot has taken advantage of a product vulnerability in Ruckus, but no other reports of exploitation have surfaced for the newly added vulnerabilities in CISA’s catalog.

These vulnerabilities have been known for up to a decade, and technical details and PoC exploits are widely available. What ties these vulnerabilities together is their association with Linux, suggesting that attackers may have targeted Linux-based systems using these flaws.

NIST’s advisories for each vulnerability reference Linux distribution advisories that outline the impact and availability of patches to mitigate the risks associated with these vulnerabilities.

It’s possible that some of these vulnerabilities may have been targeted in attacks aimed at Android devices since it is not uncommon for attackers to exploit Linux kernel vulnerabilities in such attacks.

CISA also identified a link between two of the vulnerabilities: the Apache Tomcat vulnerability arose because a component was not updated to incorporate Oracle’s fix for the CVE-2016-3427 vulnerability.

Nevertheless, it remains unclear whether the same threat actor exploited these weaknesses or if multiple issues were combined or utilized as part of the same attack.