Unresolved security issues serve as frequent attack vectors for opportunistic cybercriminals. It is known that threat actors often target publicly known or unpatched security vulnerabilities to break into organizations’ critical network systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added 15 new security flaws to its Known Exploited Vulnerabilities Catalog, which adversaries are actively exploiting. The agency stated that these vulnerabilities have become a constant attack vector for malicious actors and pose a significant risk to federal enterprises.
The Newly Added Vulnerabilities Include:
CVE Number |
CVE Description |
CVE-2021-22017 | VMware vCenter Server Improper Access Control Vulnerability |
CVE-2021-36260 | Hikvision Improper Input Validation Vulnerability |
CVE-2021-27860 | FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability |
CVE-2020-6572 | Google Chrome prior to 81.0.4044.92 Use-After-Free Vulnerability |
CVE-2019-1458 | Microsoft Win32K Elevation of Privilege Vulnerability |
CVE-2019-7609 | Elastic Kibana Remote Code Execution Vulnerability |
CVE-2019-2725 | Oracle WebLogic Server, Injection Vulnerability |
CVE-2019-9670 | Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference Vulnerability |
CVE-2019-10149 | Exim Mail Transfer Agent (MTA) Improper Input Validation Vulnerability |
CVE-2019-1579 | Palo Alto Networks PAN-OS Remote Code Execution Vulnerability |
CVE-2018-13383 | Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability |
CVE-2018-13382 | Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability |
CVE-2017-1000486 | Primetek Primefaces Application Remote Code Execution Vulnerability |
CVE-2015-7450 | IBM WebSphere Application Server and Server Hy Server Hypervisor Edition Remote Code Execution Vulnerability |
CVE-2013-3900 | Elastic Kibana Remote Code Execution Vulnerability |
Age-Old Bugs
Of the 15, four vulnerabilities were disclosed between 2020 and 2021, and the rest date back to 2013 and 2015. Some of the newly added vulnerabilities are rated as medium risks in severity. CISA urged federal agencies to address these susceptibilities as early as possible by applying the available patches to prevent ongoing cyberthreats.
Also Read: These are the Routinely Exploited Vulnerabilities in 2020 and 2021
CISA’s Binding Operational Directive
CISA recently issued a Binding Operational Directive (BOD) to reduce the risk of actively exploited vulnerabilities. The new Directive, which applies to all software and hardware found on federal information systems, requires federal civilian agencies to remediate such vulnerabilities within specific timeframes. According to CISA, over 18,000 vulnerabilities were identified in 2020. Public and private sector organizations find it difficult to remediate the growing security flaws. From 2015-2018, the number of new flaws surged from 6,487 to 17,305, and 9,883 of these were rated high and critical. Read More Here…