The Cybersecurity and Infrastructure Security Agency (CISA) has added 41 vulnerabilities to its catalog of known exploited flaws this week.
The US federal agency has urged all organizations to remediate these vulnerabilities promptly to “reduce their exposure to cyber-attacks." Federal Civilian Executive Branch (FCEB) agencies are required by law to remediate all vulnerabilities in the catalog by the specified due date.
The newly added vulnerabilities span six years, with the oldest disclosed in 2016. This is a Microsoft Internet Explorer Information Disclosure Vulnerability named CVE-2016-0162.
The most recent was a Cisco IOS XR open port vulnerability (CVE-2022-20821), which was fixed last week. This allows attackers to connect to the Redis instance on the open port and allow access to the Redis instance that is running within the NOSi container.
The Windows elevation of privileges vulnerability CVE-2020-0638 was disclosed in 2020 but was still being utilized by the Conti ransomware gang for their attacks on corporate networks this year.
Other notable vulnerabilities newly added to the catalog are two Android Linux Kernel flaws: CVE-2021-1048 and CVE-2021-0920. These are only known to be used in limited attacks against Android devices.
The rest of the flaws relate to software products from Cisco, Microsoft, Apple, Google, Mozilla, Facebook, Adobe and Webkit GTK software products. These range from 2018 to 2021.
Federal agencies are required to patch the 21 vulnerabilities added on Monday May 23 by June 13, while the 20 added on Tuesday May 24 must be fixed by June 14.
Commenting on the announcement, Kev Breen, director of cyber threat research at Immersive Labs, commented: “CISA adding 41 vulnerabilities to its catalog of known exploited flaws used in cyber-attacks is unsurprising because attackers are well versed at finding vulnerabilities, old and new, to exploit in their malicious campaigns."
He continued: “As threat actors continue to utilize vulnerabilities in attacks, the well-trodden advice is to install updates on all devices. And, while focusing on core cybersecurity hygiene elements like patching will help organizations bolster their cyber resilience, attackers are ingenious at finding new entry points to systems long before they emerge as compromised.
“Organizations have to do more than just forecasting IT teams on updates and patching. The entire workforce needs elevating in the fight against growing cyber risk. Remaining resilient in an ever-changing threat environment requires the optimization of human cyber knowledge, skills and judgment across the entire organization when it comes to preparing for, responding to and remediating against cyber threats, whatever their form.”