The Cybersecurity and Infrastructure Security Agency (CISA) has added a further 8 actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog. These 8 vulnerabilities are known to have been exploited by threat actors in real-world attacks, and as such these vulnerabilities pose a significant risk to organizations. The vulnerabilities are a mix of old and new, with the earliest vulnerabilities dating back to 2014 and the most recent disclosed this year.
The flaws are a mix of memory corruption, stack-based buffer overflow, improper privilege management, use-after-free, SQL injection, privilege escalation, and code execution vulnerabilities. If exploited, threat actors could take control of Apple devices, access networks, and remotely execute code on vulnerable systems. Even though some of the vulnerabilities are more than 7 years old, they are still being successfully exploited due to the failure to apply patches.
For each of the 8 vulnerabilities, CISA has provided a date by which Federal Civilian Executive Branch (FCEB) agencies must apply the patches to fix the vulnerabilities, with two of the vulnerabilities requiring immediate action. The most recent vulnerabilities affect iOS, iPad OS, macOS Monterey, and SonicWall SMA 100 Appliances. Both of these flaws are being actively exploited and immediate patching is required, with the maximum date for FCEB agencies to patch the two flaws being February 11, 2022. The 8 flaws, listed in the table below, bring the total number of vulnerabilities in the Catalog up to 351.
While the Binding Operational Directive (BOD) 22-01 that established the Known Exploited Vulnerabilities Catalog only applies to FCEB agencies, CISA is encouraging all organizations to prioritize the patches in the Known Exploited Vulnerabilities Catalog to reduce their exposure to cyberattacks.
CVE Number | CVE Title | Latest Patch Date |
CVE-2022-22587 | Apple IOMobileFrameBuffer Memory Corruption Vulnerability | 2/11/2022 |
CVE-2021-20038 | SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability | 2/11/2022 |
CVE-2014-7169 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | 7/28/2022 |
CVE-2014-6271 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | 7/28/2022 |
CVE-2020-0787 | Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability | 7/28/2022 |
CVE-2014-1776 | Microsoft Internet Explorer Use-After-Free Vulnerability | 7/28/2022 |
CVE-2020-5722 | Grandstream Networks UCM6200 Series SQL Injection Vulnerability | 7/28/2022 |
CVE-2017-5689 | Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability | 7/28/2022 |