The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added 66 software security bugs that are being actively exploited to its database of known exploited vulnerabilities, including some from leading technology vendors that date back several years.
For the majority of the products implicated in the new additions, there are patches available to remediate the vulnerabilities. However, there are seven impacted products that are no longer supported by the vendor and should be discontinued if still in use.
The new additions are CVEs in products from Microsoft, Cisco, Citrix, D-Link, VMware, Sophos, Palo Alto, Apache, NETGEAR, Adobe, HP and others.
Three of the new additions are from bugs disclosed this year, including vulnerabilities in WatchGuard Firebox and XTM Appliances; Mitel MiCollab, MiVoice Business Express and of course the Microsoft Windows Print Spooler.
According to CISA, two of the newly added known exploited vulnerabilities were from last year, and 12 were disclosed in 2020.
However, the majority of the newly added bugs are several years old, including eight from 2010 and earlier. The oldest bug added in this new batch from more than a decade ago is a 2005 remote code execution bug (CVE-2005-2773) in HP’s OpenView Network Node Manager.
The new additions bring CISA’s list of known exploited vulnerabilities to 570 since the agency started maintaining the catalog in November 2021.
Earlier this month, CISA added 95 vulnerabilities to the catalog, including several older bugs that date back to the early 2000s.
Under the agency’s Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies are required to remediate the vulnerabilities by a specified date. In this case, all of the newly added bugs must be patched or removed by April 15.
In previous additions to CISA’s known exploited vulnerabilities catalog, agencies had several months to remediate certain vulnerabilities, suggesting there is more urgency to patch this new tranche of bugs.
Although this is designed to help keep U.S. government agencies secure, private enterprises and organizations of any size should scan their environment for these bugs to protect themselves from compromise.