The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 new security issues to its list of known exploited vulnerabilities, which are a common attack vector against government organizations. The most recent additions range in severity and timing of disclosure, with some categorized as medium hazards and others dating back to 2013.
The vulnerabilities constitute a severe security gap and an opportunity for adversaries when combined with additional considerations such as a threat actor’s presence on the network, outdated and unpatched devices, or/and device exposure on the public internet.
After discovering proof that the security flaws newly added to the Catalog of Known Exploited Vulnerabilities are being leveraged in active attacks, CISA prepared the updated list. Only four of the 15 entries are newer – one from 2021 and another from 2020. The remaining are older than two years, with the oldest being CVE-2013-3900, a problem in the WinVerifyTrust function that affects Windows versions from XP SP2 to Server 2012.
Another vulnerability that has been around for a while is from 2015. It is an RCE vulnerability in IBM WebSphere Application Server and Server Hy Server Hypervisor Edition, designated as CVE-2015-7450 and classed as critical (severity level 9.8 out of 10). CISA advises following the vendor’s instructions for installing available updates.
The Binding Operational Directive (BOD) 22-01, which aims to reduce security risks and improve vulnerability management, includes CISA’s inventory of known exploited flaws. Under this instruction, federal civilian agencies must identify and remedy the security issues outlined in the catalog in their systems. Although the catalog is primarily intended for federal civilian agencies, it is a valuable resource for enterprises of all sizes seeking to limit their cyber risk exposure.