The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 66 vulnerabilities to its Known Exploited Vulnerabilities Catalog that should be given priority when patching, which brings the total number of vulnerabilities on the list to 570.
The Known Exploited Vulnerabilities was first published by CISA in November 2021 as part of its efforts to reduce the significant risk of vulnerabilities being exploited by adversaries to gain access to the networks of the Federal Civilian Executive Branch (FCEB) agencies.
The creation of the Known Exploited Vulnerabilities Catalog was accompanied by a Binding Operational Directive (BOD 22-01) which requires all FCEB agencies to apply patches to fix the vulnerabilities to protect networks against active threats. All vulnerabilities on the list are known to have been exploited in the wild in cyberattacks, either individually or in combination with other vulnerabilities. FCEB agencies have been given until April 15, 2022, to apply the patches to address the 66 vulnerabilities which have been identified in solutions from a broad range of vendors, including Adobe, Apache, Citrix, Cisco, D-Link, Drupal, Microsoft, Netgear, Palo Alto, Sophos, QNAP Systems, VMWare, and more.
The last few weeks have seen major additions to the Known Exploited Vulnerabilities Catalog. In addition to the latest batch of 66 actively exploited flaws, 15 were added on March 15, 2022, 11 vulnerabilities were added on March 7, 2022, and a large batch of 95 vulnerabilities was added to the list on March 3, 2022.
The latest batch of known exploited vulnerabilities includes vulnerabilities dating back to 2005. While these vulnerabilities were first disclosed many years ago, the recent inclusion in the list could be due to them being identified as being used in recent attacks, such as being chained with other recently disclosed vulnerabilities.
While BOD 22-01 only applies to FCEB agencies, CISA encourages all organizations to use the list to help them with prioritizing patching to ensure that the most serious vulnerabilities are addressed first – Those that are known to be actively exploited in real-world attacks.