Get patching now: CISA adds another 95 flaws to its known exploited vulnerabilities list

CISA has ordered federal agencies patch bugs in software from Cisco, Microsoft, Adobe, Oracle and more.
Written by Liam Tung, Contributing Writer

The US Cybersecurity and Infrastructure Security Agency (CISA) just added a whopping 95 new bugs to its catalogue of known exploited vulnerabilities, including multiple critical Cisco router flaws, Windows flaws new and old, and bugs in Adobe Flash Player, and more.

"CISA has added 95 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," the agency said.

The Windows flaw CVE-2021-41379 that joined CISA's list was being used in attacks against customers in November. Cisco's Talos researchers discovered malware that targeted the elevation of privilege flaw affecting Windows 11 and earlier. Microsoft rated it an "important" threat and a severity score of 5.5 out of 10.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

Cisco's router flaws, however, are a greater concern to patch given their severity rating of 10 out of 10. Cisco released firmware updates in February to address multiple critical flaws in its RV Series of routers. 

These were bugs that allowed attackers to execute malicious code, elevate privileges, run random commands, knock a device offline, bypass authentication, and more. They affected Cisco small business RV160, RV260, RV340, and RV345 series routers.  

CISA's list is important for US federal government agencies since officers are obliged, under the binding operational directive (BOD) 22-01, to act on CISA's vulnerability alerts within a deadline. In this case, the due date for applying these updates from vendors is in March, suggesting how important CISA considers it that agencies respond swiftly.   

"BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats," CISA notes. 

It looks as though CISA is ordering agencies to do a thorough clean up of any old software flaws that may be still lurking on government systems.   

The updated list of bugs to patch becomes part of CISA's Shields Up recommendations, which it flagged this week as part of its response to destructive malware attacks against Ukrainian organizations. CISA is concerned that wiper malware like WhisperGate and HermeticWiper may soon target organizations outside of Ukraine because of US and European new sanctions against Russia. 

The list is also a valuable resource for all organizations outside the US. CISA has urged every other organization to apply the updates to reduce their exposure to cyberattacks.

SEE: How Russia's invasion of Ukraine threatens the IT industry

Among older bugs it's added with a March 17 due date is a Microsoft Excel RCE flaw CVE-2019-1297, an old Exchange Server privilege escalation flaw CVE-2018-8581, and a bug in the browser scripting engine ChakraCore CVE-2018-8298 that Microsoft is killing off because of its switch to Chromium for Edge. 

There are also several older Cisco IOS and IOS XE software flaws disclosed in 2017 that now must be patched by 17 March. 

Even older bugs from pre-2018, such as those affecting Siemens SIMATIC Communication Processor (CP) and Adobe's now-dead Flash Player software, are now on the list. 

Editorial standards