This week, CISA added 6 vulnerabilities to its Known Exploited Vulnerabilities Catalog, all for disclosed CVEs for 2022. The adds impact 5 vendors/products and have the customary 3 week remediation deadlines of 1/3/2023 and 1/4/2023. Four of the adds are particularly notable due to having been exploited as zero-days for widely used products and platforms prior to the patches being created, including Apple, Citrix, Fortinet, and Microsoft.

• Apple – CVE-2022-42856 is being actively exploited in attacks against iPhones.
• Citrix – CVE-2022-27518 is an unauthenticated remote code execution vulnerability in its ADC and Gateway products.
• Fortinet – CVE-2022-42475 is a buffer overflow impacting FortiOS that could lead to remote code execution.
• Microsoft – CVE-2022-44698 is being exploited in numerous malware distribution campaigns, including ones spreading the QBot trojan and Magniber Ransomware.

The most recent 6 vulnerabilities impact the following 5 vendors/products:

• Apple (zero-day)
• Citrix (zero-day)
• Fortinet (zero-day)
• Microsoft (zero-day)
• Veeam (2)

CISA’s Known Exploited Vulnerabilities (KEV) Catalog is a highly recommended resource to help all organizations prioritize patching. CISA’s KEV catalog includes vulnerabilities known to be exploited – either attempted or successful – by cyber threat actors. The KEV catalog offers network defenders a starting point for prioritizing remediation efforts on the subset of vulnerabilities that are causing immediate harm based on adversary activity. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework. CISA and WaterISAC strongly recommend all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan. Doing so will build collective resilience across the cybersecurity community.

Members are encouraged to check the catalog and the regular updates for potentially impacted components in your environment and address accordingly.

The full catalog (downloadable in various formats) of 866 vulnerabilities (including 4 ICS/SCADA-specific known exploited vulnerabilities) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Additional patching/update guidance:

• Recorded Future CVE Monthly – November 2022
• Recorded Future CVE Monthly – October 2022
• CISA's ICS Advisories - October & November 2022 (Verve Industrial)
• The CVE Program Recognizes Dragos as a Numbering Authority for Common Vulnerabilities and Exposures (Dragos)
• Stakeholder-Specific Vulnerability Categorization (SSVC) model (Carnegie Mellon University, Software Engineering Institute)
• Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (National Cybersecurity Center of Excellence (NCCoE) Special Publication (SP) 800-40 Revision 4)
• Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways (National Cybersecurity Center of Excellence (NCCoE) Special Publication (SP), 1800-31)
• Top 10 IT security action items: No.2 patch operating systems and applications - ITSM.10.096 (Canadian Centre for Cyber Security)

December 6, 2022

Since WaterISAC’s last update on October 25 (pardon us, we’d been busy with H2OSecCon ;-) ), CISA has added 12 vulnerabilities to its Known Exploited Vulnerabilities Catalog for CVEs between 2021-2022. The adds impact 4 vendors/products and have remediation deadlines of 11/18/2022 (1), 11/29/2022 (3), 12/9/2022 (5), 12/19/2022 (2), and 12/26/2022 (1).

The adds include 3 Google Chromium vulnerabilities, including one zero day (CVE-2022-4262), making this the ninth Chrome zero day of 2022. With Chrome being such a widely used and often targeted browser (Google Chrome currently has 44 vulnerabilities included on the KEV catalog), members using Chrome are highly encouraged to confirm these recently added vulnerabilities have been addressed/patched.

The most recent 12 vulnerabilities impact the following 4 vendors/products:
•    Google (3)
•    Oracle
•    Microsoft (5)
•    Samsung (3)

October 25, 2022

Since the last update (October 13), CISA added 9 vulnerabilities to its Known Exploited Vulnerabilities Catalog for CVEs between 2018-2022. The adds impact 5 vendors/products and have a customary 3 week remediation deadline of 11/10/2022, 11/14/2022, and 11/15/2022, respectively.

The adds include 2 Cisco vulnerabilities that impact AnyConnect Secure Mobility Client for Windows. With Cisco being such a widely used and often targeted product line (Cisco currently has 61 vulnerabilities included on the KEV catalog), members using AnyConnect are highly encouraged to confirm these vulnerabilities from 2020 have been addressed.

The most recently added 8 vulnerabilities impact the following 4 vendors/products:

• Apple
• Cisco (2)
• GIGABYTE (4)
• Linux
• Zimbra

October 13, 2022

Since the last update (on September 27), CISA added 5 vulnerabilities to its Known Exploited Vulnerabilities Catalog. For a change, all CVEs are for 2022. They impact 3 vendors and have a customary 3 week remediation deadline of 10/21/2022 and 11/01/2022, respectively.

The 5 additions include the 2 Microsoft Exchange Server critical vulnerabilities (CVE-2022-41040 and CVE-2022-41082) that were covered in this WaterISAC advisory on September 30, 2022. Note: these vulnerabilities still do NOT have a patch.

The most recent vulnerability (CVE-2022-40684) is for Fortinet and affects multiple products, including FortiOS, FortiProxy, and FortiSwitchManager. Fortinet products are very popular cybersecurity solutions and currently have 8 vulnerabilities known to be actively exploited by threat actors, including 4 from 2018. Members using impacted Fortinet products are highly encouraged to address accordingly. Visit Tenable, SecurityWeek, HelpNetSecurity, or BleepingComputer for more details on the latest Fortinet vulnerability and exploitation.

The most recently added 5 vulnerabilities impact the following 3 vendors:

• Atlassian
• Fortinet
• Microsoft (3)
  • Exchange Server (2)
  • Windows COM+ Event System Service

The full catalog (downloadable in various formats) of 839 vulnerabilities (including 4 ICS/SCADA-specific known exploited vulnerabilities) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

September 27, 2022

Last week, CISA added 2 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Both additions are for CVE’s for 2022 across 2 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. Both additions have a customary 3 week remediation deadline of 10/13/2022 and 10/14/2022.

One of the additions, the Sophos Firewall Code Injection Vulnerability (CVE-2022-3236), was a zero day vulnerability known to have been exploited against South Asian organizations. The other vulnerability was also a remote code execution that impacted multiple Zoho ManageEngine products (CVE-2022-35405), including Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus. According to Zoho, authentication is not required to exploit the vulnerability in Password Manager Pro and PAM360 products.

The most recently added 2 vulnerabilities impact the following 2 vendors/projects:

• Sophos Firewall (Code Injection Vulnerability; CVE-2022-3236)
• Zoho Manage Engine (Multiple Products Remote Code Execution Vulnerability; CVE-2022-35405)

The full catalog (downloadable in various formats) of 834 vulnerabilities (including 4 ICS/SCADA-specific known exploited vulnerabilities) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

September 20, 2022

On September 15, 2022, CISA added 6 vulnerabilities to its Known Exploited Vulnerabilities Catalog. The latest additions include CVE’s from 2010 – 2022 across 4 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. All of the additions have the customary 3 week remediation deadline for 10/6/2022.

Only 1 of the recent additions is for a 2022 vulnerability. The other 5 additions include 1 vulnerability from 2010 for Microsoft and 4 vulnerabilities from 2013 (3 for Linux and 1 for Code Aurora). The most notable is the Microsoft Windows Remote Code Execution Vulnerability (CVE-2010-2568) leveraging the improper handling of shortcuts, notably .LNK files. This vulnerability is most familiar due to its association with Stuxnet.

The most recently added 6 vulnerabilities impact the following 4 vendors/projects:

• Code Aurora
• Linux (3)
• Microsoft (the 2010 vulnerability exploited to deliver Stuxnet)
• Trend Micro

September 15, 2022

On September 8 and 14, 2022, CISA added a total of 14 vulnerabilities to its Known Exploited Vulnerabilities Catalog. The additions include CVE’s from 2011 – 2022 across 10 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. All of the additions have the customary 3 week remediation deadline for 9/25/2022 and 10/5/2022, respectively.

The 2 most recent additions for Apple and Microsoft products include a Windows privilege escalation vulnerability and an arbitrary code execution flaw affecting iPhones and Macs. Apple has confirmed that this vulnerability was a zero-day exploit leveraged prior to the development and distribution of the patch.

The most recently added 14 vulnerabilities impact the following 10 vendors/projects:

• Android
• Apple (2) – includes 1 zero-day
• D-Link (4)
• Fortinet
• Google
• Microsoft
• MicroTik
• NETGEAR
• Oracle
• QNAP

August 30, 2022

On August 25, 2022, CISA added 10 vulnerabilities to its Known Exploited Vulnerabilities Catalog. The additions include CVE’s from 2020 – 2022 across 8 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. All of the additions have the customary 3 week remediation deadline from the date of 9/15/2022.

This addition includes 1 ICS/SCADA vulnerability – Delta Electronics DOPSoft 2 – making a total of 4 ICS/SCADA impacting vulnerabilities that threat actors are currently exploiting on the KEVC.

NOTE: Delta Electronics DOPSoft 2 is end-of-life and will NOT receive an update to mitigate this vulnerability. Delta Electronics recommends users to switch to the replacement software when available. For more information on the Delta Electronics vulnerability, including recommended compensating controls to apply due to the lack of a patch, check out https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-02).

The most recently added 10 vulnerabilities impact the following 8 vendors/projects:

• Apache (2)
• Apple
• Delta Electronics (ICS/SCADA impacting; this component will NOT be updated to mitigate this vulnerability)
• Dot CMS
• Grafana Labs
• Pear (2)
• VMware
• WebRTC

August 23, 2022

Pardon the latency in keeping this page updated during the past several weeks. During July and August the cadence had slowed down from the typical average volume of additions that CISA had been publishing. While this page hadn’t been updated, you can always find a note in the CISA ICS Vulnerability Advisories and Alerts, Updates, and Bulletins section of the Security & Resilience Update and in the Resource Center on WaterISAC’s portal.

Between July 12 and August 22, 2022, CISA has added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Uncharacteristically, most (14) of the additions are current year (2022) disclosed vulnerabilities including CVE’s from 2017 – 2022 across 8 vendors/projects that threat actors are currently using to exploit systems that have not been patched yet. All of the additions have the customary 3 week remediation deadline from the date originally posted to the catalog. While the majority of the 802 catalog entries impact IT environments, there are currently 3 ICS/SCADA impacting vulnerabilities that threat actors are currently exploiting.

The most recently added 15 vulnerabilities impact the following 8 vendors/projects:

• Apple (2)
• Atlassian
• Google
• Microsoft (4)
• Palo Alto Networks (2)
• RARLAB
• SAP
• Zimbra (3)

(Update July 5, 2022)

On July 1, 2022, CISA added 1 vulnerability to its Known Exploited Vulnerabilities Catalog. This most recent addition is for a Microsoft Windows LSA Spoofing Vulnerability (CVE-2022-26925) and has a 3 week remediation deadline/address by due date of 7/22/2022.

CISA has provided separate guidance for addressing Friday’s addition of the Microsoft vulnerability – Guidance on Applying June Microsoft Patch Tuesday Update for CVE-2022-26925.

While the majority of the 787 catalog entries impact IT environments, there are currently 3 ICS/SCADA impacting vulnerabilities that threat actors are currently exploiting.

CISA’s Known Exploited Vulnerabilities (KEV) Catalog is a highly recommended resource to help all organizations prioritize patching. To emphasize this process, CISA recently updated its KEV background page which corroborates the guidance that has been provided here on how organizations should use the KEV catalog as part of their vulnerability management program.

For more guidance on improving patching, visit the National Cybersecurity Center of Excellence (NCCoE) for two final publications: Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology and SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways.

Members are encouraged to check the catalog and the regular updates for potentially impacted components in your environment and address accordingly.

The full catalog (downloadable in various formats) can be accessed here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog