The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added a total of 75 security vulnerabilities, all known to be actively exploited, to its ‘significant risk’ listing in just three days this week. So serious is the risk of attack exposure by these exploited vulnerabilities, some of which reach back many years, CISA warns that federal civilian executive branch (FCEB) agencies must ensure they are patched by the middle of June.
The mass vulnerability additions to the ‘Known Exploited Vulnerabilities Catalog’ started on May 23 when 21 such actively exploited security flaws went into the listing. These were joined on May 24 by the addition of another 20 new vulnerabilities, with the remaining 34 added to the catalog on May 25.
“A frequent attack vector for malicious cyber actors”
Although the vulnerabilities cover a wide range of both initial disclosure dates and impacted products, they are connected by the fact that CISA has evidence of active exploitation. They are all, CISA stated, “a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.” The publication of ‘Binding Operational Directive 22-01‘ in November 2021, requires those FCEB agencies to patch the vulnerabilities, by law, in the time frame given. This doesn’t mean that as an ordinary, non-federal agency, organization or business you can happily ignore this warning as CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.”
Not just a warning for federal agencies but all organizations
I would hope that many of the vulnerabilities would already have been patched within your organization, especially given the oldest dates back to 2010. The most recent, however, are from this year and impact Microsoft Windows, VMware, Cisco, and F5.
Satya Gupta, founder and Chief Technology Officer of Virsec, adds another layer of urgency to the update warning. “One thing that is common in all the referenced vulnerabilities, as well as the ones in CISA’s ongoing advisories, is that these vulnerabilities are all exploitable remotely,” Gupta said. “Vulnerabilities that are exploitable remotely give bad actors an obscenely serious operating advantage over their victims, which are enterprises that didn’t patch fast enough.”