The U.S. Cyber and Infrastructure Security Agency (CISA) has updated its list of known exploited vulnerabilities with 15 new security issues that are a common attack vector against federal businesses.
The latest additions vary in severity and date of disclosure, with some rated as medium risk while others date back to 2013.
In combination with other factors such as the presence of a threat actor on the network, old and unpatched devices, and / or device exposure on the public Internet, the vulnerabilities constitute a serious security breach. and an opportunity for the adversaries.
Old bugs on the list
CISA compiled the new list after finding evidence that security issues newly added to the catalog of known exploited vulnerabilities are being used in ongoing attacks.
Of the 15 entries, only four are newer, from 2021 and another from 2020. The rest are over two years old, the oldest of which is from 2013 – a bug in the WinVerifyTrust function followed as CVE-2013-3900, which affects versions of Windows from XP SP2 through Server 2012.
Another old vulnerability dates from 2015, remote code execution in IBM WebSphere Application Server and Server Hy Server Hypervisor Edition, identified as CVE-2015-7450 and classified as critical (severity level 9.8 out of 10).
The table below shows all of the vulnerabilities the CISA wants federal agencies to address this month to strengthen defenses against active threats. CISA recommends apply available updates according to the vendor’s instructions.
|CVE ID||The description||
Correction due date
|NVD Severity Rating|
|CVE-2021-22017||VMware vCenter Server incorrect access control vulnerability||01/24/2022||5.3 (medium)|
|CVE-2021-36260||Incorrect entry validation vulnerability at Hikvision||01/24/2022||9.8 (critical)|
|CVE-2021-27860||FatPipe WARP, IPVPN and MPVPN Privilege Escalation vulnerability||01/24/2022||8.8 (high)|
|CVE-2020-6572||Google Chrome before 81.0.4044.92 Vulnerability after free use||07/10/2022||8.8 (high)|
|CVE-2019-1458||Microsoft Win32K elevation of privilege vulnerability||07/10/2022||7.8 (high)|
|CVE-2019-7609||Elastic Kibana remote code execution vulnerability||07/10/2022||10.0 (critical)|
|CVE-2019-2725||Oracle WebLogic Server Injection Vulnerability||07/10/2022||9.8 (critical)|
|CVE-2019-9670||Synacor Zimbra Collaboration Suite Inappropriate restriction of XML External Entity Reference Vulnerability||07/10/2022||9.8 (critical)|
|CVE-2019-10149||Exim Mail Transfer Agent (MTA) Bad Entry Validation Vulnerability||07/10/2022||9.8 (critical)|
|CVE-2019-1579||Palo Alto Networks PAN-OS Remote Code Execution Vulnerability||07/10/2022||8.1 (high)|
|CVE-2018-13383||Fortinet FortiOS and FortiProxy incorrect authorization vulnerability||07/10/2022||6.5 (medium)|
|Fortinet FortiOS and FortiProxy incorrect authorization vulnerability||07/10/2022||7.5 (high)|
|CVE-2017-100486||Primetek Primefaces application remote code execution vulnerability||07/10/2022||9.8 (critical)|
|CVE-2015-7450||Remote code execution vulnerability in IBM WebSphere Application Server and Server Hy Server Hypervisor Edition||07/10/2022||9.8 (critical)|
|Elastic Kibana remote code execution vulnerability||07/10/2022||N / A|
The CISA catalog of known exploited vulnerabilities is part of the Binding Operational Directive (BOD) 22-01 to reduce security risks and for better vulnerability management.
Under this directive, federal civilian agencies must identify and remedy the security issues listed in the catalog in their systems.
Although the catalog is primarily aimed at federal civilian agencies, it is a good reference for organizations of all types to reduce their exposure to cyber risks.
- Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
- Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws
- Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws
- CISA Orders Federal Agencies To Fix Hundreds Of Exploited Security Flaws
- CISA tells federal agencies to patch actively exploited Chrome, Magento bugs