On May 23 and May 24, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a further 41 vulnerabilities to its Known Exploited Vulnerability Catalog, which brings the known exploited vulnerabilities included in the list up to 703.
The latest additions to the list are based on evidence collected that indicates the vulnerabilities are being actively exploited by threat actors in the wild. When new vulnerabilities are added to the list they are covered by Binding Operational Directive (BOD) 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities, which requires all Federal Civilian Executive Branch (FCEB) agencies to identify and remediate the vulnerabilities to protect their networks against active threats. The 21 vulnerabilities added on May 23 have a remediation date of June 13, 2022, and the 20 vulnerabilities added on May 24 have a due date of June 14, 2022.
BOD 22-01 only applies to FCEB agencies; however, CISA encourages all organizations to take advantage of the list and ensure that the vulnerabilities are remediated in a timely fashion as part of their vulnerability management practices to prevent exploitation by threat actors.
The vulnerabilities date from 2016, with only one of the 41 vulnerabilities disclosed this year – CVE-2022-20821, Cisco IOS XR. The vulnerabilities cover multiple vendors and products:
|iOS and multiple products
|Adaptive Security Appliance (ASA) and IOS XR
|Virtual System/Server Administrator (VSA)
|Internet Explorer, Edge, SMBv1 server, Update Notification Manager, Win32k, Windows, XML Core Services
|Firefox and Thunderbird
|Network Attached Storage (NAS)