"CISA Orders Agencies to Patch New Windows Zero-Day Used in Attacks"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of actively exploited bugs to include a vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This high severity security flaw, tracked as CVE-2022-22047, affects both server and client Windows platforms, including the most recent Windows 11 and Windows Server 2022 releases. Microsoft patched it as part of the July 2022 Patch Tuesday, and it was labeled a zero-day because it was used in attacks before a fix was available. Microsoft explained that an attacker who exploited this vulnerability successfully could gain SYSTEM privileges. CISA has given the agencies three weeks, until August 2nd, to patch the actively exploited CVE-2022-22047 vulnerability and block ongoing attacks that could target their systems. According to a binding operational directive (BOD 22-01) issued in November, all Federal Civilian Executive Branch (FCEB) agencies are required to secure their networks against security flaws added to CISA's catalog of Known Exploited Vulnerabilities (KEV). Although the BOD 22-01 directive only applies to US federal agencies, CISA urges all organizations in the US to fix this Windows CSRSS elevation of privilege bug in order to prevent attackers from escalating privileges on unpatched Windows systems. This article continues to discuss the Windows CSRSS vulnerability that CISA is ordering agencies to patch immediately. 

Bleeping Computer reports "CISA Orders Agencies to Patch New Windows Zero-Day Used in Attacks"