The Cybersecurity and Infrastructure Security Agency (CISA) has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.
These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise, CISA says.
CVE Number
CVE Title
Remediation Due Date
CVE-2021-36934
Microsoft Windows SAM Local Privilege Escalation Vulnerability
2/24/2022
CVE-2020-0796
Microsoft SMBv3 Remote Code Execution Vulnerability
8/10/2022
CVE-2018-1000861
Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability
Microsoft HTTP.sys Remote Code Execution Vulnerability
8/10/2022
CVE-2015-1130
Apple OS X Authentication Bypass Vulnerability
8/10/2022
CVE-2014-4404
Apple OS X Heap-Based Buffer Overflow Vulnerability
8/10/2022
More than half of the flaws are classified as remote code execution (RCE) vulnerabilities, one of the most dangerous types of vulnerabilities, as it gives the attacker the ability to run almost any code on the hacked site. “RCE, and other flaws such as XSS (Cross-Site Scripting), have long been included on the OWASP Top 10 list, so why aren’t companies better equipped to protect against these attacks?” says Pravin Madhani, CEO and Co-Founder of K2 Cyber Security.
In order to protect against known, as well as unknown vulnerabilities, security teams should put in place an active application security program that detects and remediates vulnerabilities in pre-production, and then secures applications at runtime, Madhani says. In addition, enterprises should look for vulnerability detection tools that pinpoint the problem and provide detailed telemetry for faster remediation. “During production, runtime application protection tools, which sit close to the application and confirm if it is executing correctly, can protect applications from any vulnerabilities missed during the build process.”
With many security teams being overworked and overwhelmed, the clarity from CISA on what deserves their priority and attention is of great value, says Bud Broomhead, CEO at Viakoo. But, with close to 170,000 known vulnerabilities, priority should be given to the ones causing real damage right now, not ones that, in theory, could cause damage, Broomhead adds.
In addition, cybercriminals are leveraging older vulnerabilities in exploits against new device targets, specifically the Internet of Things (IoT) devices, Broomhead explains. “A good example of this are vulnerabilities that enable man-in-the-middle attacks; virtually all IT systems are protected against this threat, but IoT systems often are not, leading threat actors to revisit these older vulnerabilities knowing that network-connected IoT devices can be exploited through them. This would lead to a vulnerability discovered years ago being added recently to the CISA catalog,” he says.
