"CISA Warns Against Actively Exploited Chrome and D-Link Security Flaws"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has added 12 new security flaws to its Known Exploited Vulnerabilities (KEV) database, including two critical D-Link flaws and two zero-day vulnerabilities in Google Chrome and the QNAP Photo Station. On September 2, Google released an emergency security update for the zero-day vulnerability, CVE-2022-3075, which is said to be its sixth zero-day chrome flaw in 2022. On September 5, QNAP NAS announced that it had fixed CVE-2022-27593, a zero-day bug in its Photo Station software. The update follows a DeadBolt ransomware attack. Two critical D-Link security flaws, CVE-2022-28958 and CVE-2022-26258, can act as backdoors for the Mirai-based MooBot botnet, allowing it to gain complete control over unpatched devices. Due to the severity of the vulnerabilities, all Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems against the security flaws in accordance with the Binding Operational Directive (BOD 22-01) issued in November. The deadline for distributing patches is September 29. While DHS' BOD 22-01 only applies to FCEB agencies, the cybersecurity agency strongly advises US organizations in both the private and public sectors to prioritize patching in order to limit future attacks. Since issuing its binding directive in November, CISA has added 800 security flaws to its catalog of bugs exploited in attacks, requiring federal agencies to fix them more frequently. This article continues to discuss the recent addition of 12 security flaws to CISA's KEV catalog.

ITPro reports "CISA Warns Against Actively Exploited Chrome and D-Link Security Flaws"