CISA Adds 41 Vulnerabilities to the Known Exploited Vulnerability Catalog

On May 23 and May 24, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a further 41 vulnerabilities to its Known Exploited Vulnerability Catalog, which brings the known exploited vulnerabilities included in the list up to 703.

The latest additions to the list are based on evidence collected that indicates the vulnerabilities are being actively exploited by threat actors in the wild. When new vulnerabilities are added to the list they are covered by Binding Operational Directive (BOD) 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities, which requires all Federal Civilian Executive Branch (FCEB) agencies to identify and remediate the vulnerabilities to protect their networks against active threats. The 21 vulnerabilities added on May 23 have a remediation date of June 13, 2022, and the 20 vulnerabilities added on May 24 have a due date of June 14, 2022.

BOD 22-01 only applies to FCEB agencies; however, CISA encourages all organizations to take advantage of the list and ensure that the vulnerabilities are remediated in a timely fashion as part of their vulnerability management practices to prevent exploitation by threat actors.

The vulnerabilities date from 2016, with only one of the 41 vulnerabilities disclosed this year – CVE-2022-20821, Cisco IOS XR. The vulnerabilities cover multiple vendors and products:

Vendor Products
Adobe Flash Player
Android Kernel
Apple iOS and multiple products
Artifex Ghostscript
Cisco Adaptive Security Appliance (ASA) and IOS XR
Google Chrome
Kaseya Virtual System/Server Administrator (VSA)
Meta Platforms WhatsApp
Microsoft Internet Explorer, Edge, SMBv1 server, Update Notification Manager, Win32k, Windows, XML Core Services
Mozilla Firefox and Thunderbird
QNAP Network Attached Storage (NAS)

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of