CISA Includes 75 Vulnerabilities in the Known Exploited Vulnerability Catalog

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) included 75 additional vulnerabilities in the Known Exploited Vulnerability Catalog. This catalog is a listing of vulnerabilities identified in software programs and operating systems that are found to have been taken advantage of in real-world attacks. The catalog currently contains 737 vulnerabilities.

The most recent inclusions were added in three groups: 21 on Tuesday, 20 on Wednesday, and 34 on Thursday. As per the Binding Operational Directive (BOD) 22-01, every Federal Civilian Executive Branch (FCEB) agency must search for the vulnerabilities and make certain to apply the patches or mitigate the vulnerabilities in a period of two weeks.

Almost all the vulnerabilities included in the list last week aren’t new vulnerabilities. In many instances, patches were launched to deal with the vulnerabilities a few years ago and in certain instances, the vulnerabilities were openly revealed 12 years back. A few of the vulnerabilities have an effect on items that have already reached their end-of-life, for instance, Virtual System/Server Administrator (VSA), Adobe Flash Player, InfoSphere BigInsights and Microsoft Silverlight. In case those solutions continue to be installed or used, the products must be removed or disconnected.

The latest vulnerabilities consist of CVE-2022-20821, a Cisco IOS XR open port vulnerability, and CVE-2021-30883, a memory corruption vulnerability identified in several Apple products, and two vulnerabilities found in the Android Kernel: CVE-2021-1048, a use-after-free vulnerability, and CVE-2021-0920, a race condition vulnerability.

The vulnerabilities have an effect on items from these companies: Adobe, Apple, Android, Artifex, Cisco, IBM, Google, Kaseya, Linux, Microsoft, Meta Platforms, Mozilla, QNAP, Oracle, Red Hat, and WebKitGTK.

Although BOD 22-01 is just applicable to FCEB agencies, CISA urges all companies to minimize their exposure to cyberattacks by making sure to remediate the vulnerabilities included in the Known Exploited Vulnerability Catalog in a prompt manner in accordance with their vulnerability management tactics.