The list includes an October CMS Improper Authentication, a System Information Library for node.js Command Injection vulnerability, an Oracle Corporate Business Intelligence Enterprise Edition Path Traversal vulnerability, an Apache Airflow Experimental API Authentication Bypass vulnerability, a Drupal Core Unrestricted Upload of File vulnerability, and three Nagios XI OS Command Injection vulnerabilities.
The Media Trust CEO Chris Olson said the vulnerability's alleged use in the recent attack on Ukraine explains the software's inclusion on the list, but he noted that its inclusion highlights "an alarming growth in web-based cyberattacks and the role they will play in global cyber warfare."
"Little attention is paid to the Web as an attack surface. While organizations across the public and private sector are increasingly aware of cyber risk, the stack of third-party code used in Web development rarely meets the standards for AppSec that those organizations would demand from any of their IT systems," Olson said.
Jordan LaRose, director of incident response at F-Secure, told ZDNet that CISA's guidance matches much of what they are seeing in the wild from a malicious actor standpoint.
LaRose said that what stood out most to him was that these are all vulnerabilities affecting web servers or APIs. LaRose said this is a trend he has seen develop significantly in the past year among malicious actors, many of whom are turning to more than just classical methods like phishing or trojans to gain footholds in organizations with strong security postures.
"What we're seeing now is a wave of attacks where attackers are targeting technology rather than people, with the most recent notable example being the Log4Shell attacks. These attacks are largely done opportunistically, with attackers loading up scanning scripts with the exploits and hitting everything they can on the internet to find a potential victim," he said.
Neosec vice president Edward Roberts echoed that sentiment, adding that the volume of vulnerabilities involving APIs will continue to increase because there are more APIs being developed each day. Most organizations, he said, "don't even know how many APIs they have, let alone which ones have vulnerabilities, let alone consider how they are being defrauded by abusive behavior."
A number of cybersecurity experts noted that several of these vulnerabilities were identified months ago. Some of the vulnerabilities on the list date back to 2012 and 2013, according to Netenrich principal threat hunter John Bambenek, who expressed concerns about the fact that they haven't already been patched.
"That the agency doesn't have basic patch deployment information from other units of government implies there is no central management of that information. The posture of federal IT cybersecurity seems to have remained stalled at square one," Bambenek said.
"If an exploited vulnerability can be used to execute commands on the victim machine, then CISA sets a two week due date to patch. That being said, two weeks is far too slow. The exchange vulnerability concerns me the most. However, some of this stuff is quite off the beaten path. But, this may be common in government installations, so worthy to put on the list."
Vulcan Cyber CPO Tal Morgenstern noted that seven of the vulnerabilities with remediation dates of February 1 relate to systems management tools.
"Systems management tools from VMware, Nagios, F5, Npm, and more hold the keys to the kingdom, giving the user substantial power to automate system change for good or bad. This isn't a new concern as we've seen an unfortunate trend of vulnerabilities in systems management software tools this year," Morgenstern explained.
"Considering the amount of access and control these tools have, IT security teams must take immediate steps to fully mitigate known risks. Don't wait for February. Move now."