"Organizations Urged to Fix 41 Vulnerabilities Added to CISA’s Catalog of Exploited Flaws"
This week, the Cybersecurity and Infrastructure Security Agency (CISA) has added 41 vulnerabilities to its catalog of known exploited flaws. CISA has urged all organizations to remediate these vulnerabilities promptly to "reduce their exposure to cyberattacks." Federal Civilian Executive Branch (FCEB) agencies are required by law to remediate all vulnerabilities in the catalog by the specified due date. The newly added vulnerabilities span six years, with the oldest disclosed in 2016. This is a Microsoft Internet Explorer information disclosure vulnerability named CVE-2016-0162. The most recent vulnerability added to the catalog was a Cisco IOS XR open port vulnerability (CVE-2022-20821), which was fixed last week. This vulnerability allows attackers to connect to the Redis instance on the open port and allow access to the Redis instance that is running within the NOSi container. The Windows elevation of privileges vulnerability CVE-2020-0638 was disclosed in 2020 but was still being utilized by the Conti ransomware gang for their attacks on corporate networks this year. Other notable vulnerabilities that were newly added to the catalog include two Android Linux Kernel flaws: CVE-2021-1048 and CVE-2021-0920. These are only known to be used in limited attacks against Android devices. The rest of the flaws added to the catalog relate to software products from Cisco, Microsoft, Apple, Google, Mozilla, Facebook, Adobe, and Webkit GTK software products. These range from 2018 to 2021. Federal agencies are required to patch the 21 vulnerabilities added on May 23 by June 13, while the 20 added on May 24 must be fixed by June 14.