Home News CISA Adds 15 New Flaws to its Actively Exploited Vulnerabilities Catalog

CISA Adds 15 New Flaws to its Actively Exploited Vulnerabilities Catalog

CISA recommended that federal agencies patch recently added vulnerabilities to the exploited vulnerabilities catalog. Of the 15, four vulnerabilities were disclosed between 2020 and 2021, and the rest date back to 2013 and 2015.

CISA vulnerabilities, Microsoft Vulnerabilities, HP Device Manager Susceptible to Dictionary Attacks

Unresolved security issues serve as frequent attack vectors for opportunistic cybercriminals. It is known that threat actors often target publicly known or unpatched security vulnerabilities to break into organizations’ critical network systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added 15 new security flaws to its Known Exploited Vulnerabilities Catalog, which adversaries are actively exploiting. The agency stated that these vulnerabilities have become a constant attack vector for malicious actors and pose a significant risk to federal enterprises.

The Newly Added Vulnerabilities Include:

CVE Number

CVE Description

CVE-2021-22017 VMware vCenter Server Improper Access Control Vulnerability
CVE-2021-36260 Hikvision Improper Input Validation Vulnerability
CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability
CVE-2020-6572 Google Chrome prior to 81.0.4044.92 Use-After-Free Vulnerability
CVE-2019-1458 Microsoft Win32K Elevation of Privilege Vulnerability
CVE-2019-7609 Elastic Kibana Remote Code Execution Vulnerability
CVE-2019-2725 Oracle WebLogic Server, Injection Vulnerability
CVE-2019-9670 Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference Vulnerability
CVE-2019-10149 Exim Mail Transfer Agent (MTA) Improper Input Validation Vulnerability
CVE-2019-1579 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
CVE-2018-13383 Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability
CVE-2018-13382 Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability
CVE-2017-1000486 Primetek Primefaces Application Remote Code Execution Vulnerability
CVE-2015-7450 IBM WebSphere Application Server and Server Hy Server Hypervisor Edition Remote Code Execution Vulnerability
CVE-2013-3900 Elastic Kibana Remote Code Execution Vulnerability

Age-Old Bugs

Of the 15, four vulnerabilities were disclosed between 2020 and 2021, and the rest date back to 2013 and 2015. Some of the newly added vulnerabilities are rated as medium risks in severity. CISA urged federal agencies to address these susceptibilities as early as possible by applying the available patches to prevent ongoing cyberthreats.

Also Read: These are the Routinely Exploited Vulnerabilities in 2020 and 2021

CISA’s Binding Operational Directive

CISA recently issued a Binding Operational Directive (BOD) to reduce the risk of actively exploited vulnerabilities. The new Directive, which applies to all software and hardware found on federal information systems, requires federal civilian agencies to remediate such vulnerabilities within specific timeframes. According to CISA, over 18,000 vulnerabilities were identified in 2020. Public and private sector organizations find it difficult to remediate the growing security flaws. From 2015-2018, the number of new flaws surged from 6,487 to 17,305, and 9,883 of these were rated high and critical. Read More Here…