On July 1, 2022, CISA added 1 vulnerability to its Known Exploited Vulnerabilities Catalog. This most recent addition is for a Microsoft Windows LSA Spoofing Vulnerability (CVE-2022-26925) and has a 3 week remediation deadline/address by due date of 7/22/2022.
CISA has provided separate guidance for addressing Friday’s addition of the Microsoft vulnerability – Guidance on Applying June Microsoft Patch Tuesday Update for CVE-2022-26925.
While the majority of the 787 catalog entries impact IT environments, there are currently 3 ICS/SCADA impacting vulnerabilities that threat actors are currently exploiting.
CISA’s Known Exploited Vulnerabilities (KEV) Catalog is a highly recommended resource to help all organizations prioritize patching. To emphasize this process, CISA recently updated its KEV background page which corroborates the guidance that has been provided here on how organizations should use the KEV catalog as part of their vulnerability management program.
For more guidance on improving patching, visit the National Cybersecurity Center of Excellence (NCCoE) for two final publications: Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology and SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways.
Members are encouraged to check the catalog and the regular updates for potentially impacted components in your environment and address accordingly.
The full catalog (downloadable in various formats) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog