CISA warning: Hackers are exploiting these 36 "significant" cybersecurity vulnerabilities - so patch now

The United States Cybersecurity and Infrastructure Agency (CISA) has added 36 new flaws to its catalog of vulnerabilities that are known to be exploited by cyber criminals. 

The CISA alert warns that the vulnerabilities are a frequent attack vector for malicious attackers and pose "significant risk". Organisations, particularly those associated with federal government, are urged to apply the security updates as soon as possible. 

"CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice," said CISA.

SEE: Cloud computing dominates. But security is now the biggest challenge

Among the 36 vulnerabilities that have been added are vulnerabilities in software and products from Microsoft, Google, Adoble, Cisco, Netgear, QNAP and others.  

Vulnerabilities in Microsoft products include CVE-2012-4969, a vulnerability in Internet Explorer that allows remote execution of code, and CVE-2013-1331, a buffer overflow vulnerability in Microsoft Office that allows cyber criminals to launch remote attacks. CVE-2012-0151, a flaw in the Authenticode Signature Verification function in Microsoft Windows that allows user-assisted attackers to execute remote code, has also been added to the catalog.  

The CISA alert also addresses several vulnerabilities in Google's Chromium V8 Engine, including CVE-2016-1646 and CVE-2016-5198, which allow remote attackers to cause a denial of service, as well as flaws like CVE-2018-17463 and CVE-2017-5070, which, if left unpatched, allow attackers to remotely execute code that they could exploit to access networks. 

Several vulnerabilities in Adobe software have been added to the catalog, including CVE-2009-4324, a flaw in Adobe Acrobat and Reader, which allows remote attackers to execute code via a crafted PDF file, and CVE-2010-1297, a memory corruption vulnerability in Adobe Flash Player that allows remote attackers to execute code or cause denial of service. 

Several flaws in routers and other internet-connected devices have also been added to CISA's catalog, including CVE-2017-6862, which is a buffer overflow vulnerability in multiple Netgear devices that allows for authentication bypass and remote code execution, and CVE-2019-15271, a flaw in Cisco RV series routers that could allow an attacker to execute code with root privileges. 

SEE: Don't let your cloud cybersecurity choices leave the door open for hackers

CISA also warns about a number of vulnerabilities in QNAP products, including CVE-2019-7192, a flaw in QNAP Network Attached Storage (NAS) devices running Photo Station, which contains an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system.  

The full list of all 36 vulnerabilities has been detailed in CISA's known exploited vulnerabilities catalog. 

Cybersecurity bodies like CISA often say that applying cybersecurity patches that fix known vulnerabilities is one of the best ways to stay protected from cyberattacks.  

MORE ON CYBERSECURITY

• The stakes 'could not be any higher': CISA chief talks about the tech challenges ahead
• Hackers are using tech services companies as a 'launchpad' for attacks on customers
• A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed
• CISA publishes guide with free cybersecurity tools, resources for incident response
• NSA, FBI warning: Hackers are using these flaws to target VPNs and network devices