You are here

(Update October 25, 2022) Adds to CISA’s Known Exploited Vulnerabilities Catalog

(Update October 25, 2022) Adds to CISA’s Known Exploited Vulnerabilities Catalog

Created: Tuesday, October 25, 2022 - 12:46
Categories:
Cybersecurity, OT-ICS Security, Security Preparedness

Since the last update (October 13), CISA added 9 vulnerabilities to its Known Exploited Vulnerabilities Catalog for CVEs between 2018-2022. The adds impact 5 vendors/products and have a customary 3 week remediation deadline of 11/10/2022, 11/14/2022, and 11/15/2022, respectively.

The adds include 2 Cisco vulnerabilities that impact AnyConnect Secure Mobility Client for Windows. With Cisco being such a widely used and often targeted product line (Cisco currently has 61 vulnerabilities included on the KEV catalog), members using AnyConnect are highly encouraged to confirm these vulnerabilities from 2020 have been addressed.

The most recently added 8 vulnerabilities impact the following 4 vendors/products:

  • Apple
  • Cisco (2)
  • GIGABYTE (4)
  • Linux
  • Zimbra

CISA’s Known Exploited Vulnerabilities (KEV) Catalog is a highly recommended resource to help all organizations prioritize patching. CISA’s KEV catalog includes vulnerabilities known to be exploited – either attempted or successful – by cyber threat actors. The KEV catalog offers network defenders a starting point for prioritizing remediation efforts on the subset of vulnerabilities that are causing immediate harm based on adversary activity. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework. CISA and WaterISAC strongly recommend all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan. Doing so will build collective resilience across the cybersecurity community.

Members are encouraged to check the catalog and the regular updates for potentially impacted components in your environment and address accordingly.

The full catalog (downloadable in various formats) of 848 vulnerabilities (including 4 ICS/SCADA-specific known exploited vulnerabilities) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Additional patching/update guidance:

 

October 13, 2022

Since the last update (on September 27), CISA added 5 vulnerabilities to its Known Exploited Vulnerabilities Catalog. For a change, all CVEs are for 2022. They impact 3 vendors and have a customary 3 week remediation deadline of 10/21/2022 and 11/01/2022, respectively.

The 5 additions include the 2 Microsoft Exchange Server critical vulnerabilities (CVE-2022-41040 and CVE-2022-41082) that were covered in this WaterISAC advisory on September 30, 2022. Note: these vulnerabilities still do NOT have a patch.

The most recent vulnerability (CVE-2022-40684) is for Fortinet and affects multiple products, including FortiOS, FortiProxy, and FortiSwitchManager. Fortinet products are very popular cybersecurity solutions and currently have 8 vulnerabilities known to be actively exploited by threat actors, including 4 from 2018. Members using impacted Fortinet products are highly encouraged to address accordingly. Visit Tenable, SecurityWeek, HelpNetSecurity, or BleepingComputer for more details on the latest Fortinet vulnerability and exploitation.

The most recently added 5 vulnerabilities impact the following 3 vendors:

  • Atlassian
  • Fortinet
  • Microsoft (3)
    • Exchange Server (2)
    • Windows COM+ Event System Service

The full catalog (downloadable in various formats) of 839 vulnerabilities (including 4 ICS/SCADA-specific known exploited vulnerabilities) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

 

 

September 27, 2022

Last week, CISA added 2 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Both additions are for CVE’s for 2022 across 2 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. Both additions have a customary 3 week remediation deadline of 10/13/2022 and 10/14/2022.

One of the additions, the Sophos Firewall Code Injection Vulnerability (CVE-2022-3236), was a zero day vulnerability known to have been exploited against South Asian organizations. The other vulnerability was also a remote code execution that impacted multiple Zoho ManageEngine products (CVE-2022-35405), including Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus. According to Zoho, authentication is not required to exploit the vulnerability in Password Manager Pro and PAM360 products.

The most recently added 2 vulnerabilities impact the following 2 vendors/projects:

  • Sophos Firewall (Code Injection Vulnerability; CVE-2022-3236)
  • Zoho Manage Engine (Multiple Products Remote Code Execution Vulnerability; CVE-2022-35405)

 

The full catalog (downloadable in various formats) of 834 vulnerabilities (including 4 ICS/SCADA-specific known exploited vulnerabilities) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

 

 

 

 

September 20, 2022

On September 15, 2022, CISA added 6 vulnerabilities to its Known Exploited Vulnerabilities Catalog. The latest additions include CVE’s from 2010 – 2022 across 4 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. All of the additions have the customary 3 week remediation deadline for 10/6/2022.

Only 1 of the recent additions is for a 2022 vulnerability. The other 5 additions include 1 vulnerability from 2010 for Microsoft and 4 vulnerabilities from 2013 (3 for Linux and 1 for Code Aurora). The most notable is the Microsoft Windows Remote Code Execution Vulnerability (CVE-2010-2568) leveraging the improper handling of shortcuts, notably .LNK files. This vulnerability is most familiar due to its association with Stuxnet.

The most recently added 6 vulnerabilities impact the following 4 vendors/projects:

  • Code Aurora
  • Linux (3)
  • Microsoft (the 2010 vulnerability exploited to deliver Stuxnet)
  • Trend Micro

 

September 15, 2022

On September 8 and 14, 2022, CISA added a total of 14 vulnerabilities to its Known Exploited Vulnerabilities Catalog. The additions include CVE’s from 2011 – 2022 across 10 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. All of the additions have the customary 3 week remediation deadline for 9/25/2022 and 10/5/2022, respectively.

The 2 most recent additions for Apple and Microsoft products include a Windows privilege escalation vulnerability and an arbitrary code execution flaw affecting iPhones and Macs. Apple has confirmed that this vulnerability was a zero-day exploit leveraged prior to the development and distribution of the patch.

The most recently added 14 vulnerabilities impact the following 10 vendors/projects:

  • Android
  • Apple (2) – includes 1 zero-day
  • D-Link (4)
  • Fortinet
  • Google
  • Microsoft
  • MicroTik
  • NETGEAR
  • Oracle
  • QNAP

 

August 30, 2022

On August 25, 2022, CISA added 10 vulnerabilities to its Known Exploited Vulnerabilities Catalog. The additions include CVE’s from 2020 – 2022 across 8 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. All of the additions have the customary 3 week remediation deadline from the date of 9/15/2022.

This addition includes 1 ICS/SCADA vulnerabilityDelta Electronics DOPSoft 2 – making a total of 4 ICS/SCADA impacting vulnerabilities that threat actors are currently exploiting on the KEVC.

NOTE: Delta Electronics DOPSoft 2 is end-of-life and will NOT receive an update to mitigate this vulnerability. Delta Electronics recommends users to switch to the replacement software when available. For more information on the Delta Electronics vulnerability, including recommended compensating controls to apply due to the lack of a patch, check out https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-02).

The most recently added 10 vulnerabilities impact the following 8 vendors/projects:

  • Apache (2)
  • Apple
  • Delta Electronics (ICS/SCADA impacting; this component will NOT be updated to mitigate this vulnerability)
  • Dot CMS
  • Grafana Labs
  • Pear (2)
  • VMware
  • WebRTC

 

August 23, 2022

Pardon the latency in keeping this page updated during the past several weeks. During July and August the cadence had slowed down from the typical average volume of additions that CISA had been publishing. While this page hadn’t been updated, you can always find a note in the CISA ICS Vulnerability Advisories and Alerts, Updates, and Bulletins section of the Security & Resilience Update and in the Resource Center on WaterISAC’s portal.

Between July 12 and August 22, 2022, CISA has added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Uncharacteristically, most (14) of the additions are current year (2022) disclosed vulnerabilities including CVE’s from 2017 – 2022 across 8 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. All of the additions have the customary 3 week remediation deadline from the date originally posted to the catalog. While the majority of the 802 catalog entries impact IT environments, there are currently 3 ICS/SCADA impacting vulnerabilities that threat actors are currently exploiting.

The most recently added 15 vulnerabilities impact the following 8 vendors/projects:

  • Apple (2)
  • Atlassian
  • Google
  • Microsoft (4)
  • Palo Alto Networks (2)
  • RARLAB
  • SAP
  • Zimbra (3)

 

(Update July 5, 2022)

 

On July 1, 2022, CISA added 1 vulnerability to its Known Exploited Vulnerabilities Catalog. This most recent addition is for a Microsoft Windows LSA Spoofing Vulnerability (CVE-2022-26925) and has a 3 week remediation deadline/address by due date of 7/22/2022.

CISA has provided separate guidance for addressing Friday’s addition of the Microsoft vulnerability – Guidance on Applying June Microsoft Patch Tuesday Update for CVE-2022-26925.

While the majority of the 787 catalog entries impact IT environments, there are currently 3 ICS/SCADA impacting vulnerabilities that threat actors are currently exploiting.

CISA’s Known Exploited Vulnerabilities (KEV) Catalog is a highly recommended resource to help all organizations prioritize patching. To emphasize this process, CISA recently updated its KEV background page which corroborates the guidance that has been provided here on how organizations should use the KEV catalog as part of their vulnerability management program.

For more guidance on improving patching, visit the National Cybersecurity Center of Excellence (NCCoE) for two final publications: Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology and SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways.

Members are encouraged to check the catalog and the regular updates for potentially impacted components in your environment and address accordingly.

The full catalog (downloadable in various formats) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog