The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been extremely active in helping both the public sector and private sector respond to cybersecurity threats, and is often one of the leading voices when new threats emerge.
The agency, part of DHS, has released guides, advisories and other resources on current and historical threats, and its activity has increased significantly over the last few years. That includes regularly updating its database of known exploited vulnerabilities, the latest of which came late last week.
CISA added 15 security bugs that are being actively exploited, including in Microsoft, Apache, Oracle, Apple, D-Link and Jenkins products. The majority of the newly disclosed bugs being actively exploited are several years old, which highlights the importance of quickly patching software vulnerabilities as patches become available.
Federal agencies are instructed to patch the most recent vulnerability, a local privilege escalation bug in Windows SAM, by Feb. 24. The flaw, tracked as CVE-2021-36934, could allow an attacker to run arbitrary code with SYSTEM privileges. Microsoft issued a patch for this vulnerability in August.
For the other 14 known exploited vulnerabilities added to CISA’s list, federal agencies have until Aug. 10 to fix the vulnerabilities, the oldest of which is an Apple bug from 2014.
The agency has been maintaining the list since November, and has already added more than 360 entries.
According to the agency, the entries are based on evidence that threat actors are actively exploiting the vulnerabilities and are using them as a frequent attack vector for malicious activities of all types.
CISA’s catalog of known exploited vulnerabilities launched on Nov. 3 as part of the agency’s Binding Operational Director (BOD) 22-01 designed to require federal civilian agencies to remediate vulnerabilities within specific timeframes.
CISA Director Jen Easterly said in November that threat actors are using these vulnerabilities to target federal agencies, but urged every organization to mitigate these actively exploited bugs.
“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” Easterly said. “It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”