The CISA has added 15 new security issues to its Catalog of Known Exploited Vulnerabilities. These vulnerabilities are used in frequent attack vectors aimed at federal agencies.
The catalog of known exploited vulnerabilities is part of the Binding Operational Directive (BOD) 22-01, aimed at improving vulnerability management for federal civilian agencies and reducing security risks.
Old bugs at work, otherwise
The agency issued a new list of known exploited vulnerabilities after discovering evidence that the security flaws are actively being used in ongoing attacks.
Out of 15 entries, only four are recent and the rest are several years old.
The oldest flaw is from 2013, which is tracked as CVE-2013-3900, affecting Windows versions starting XP SP2 to Server 2012.
Another vulnerability is from 2015, an RCE flaw in IBM Server Hy Server Hypervisor Edition and WebSphere Application Server, tracked as CVE-2015-7450.
The body demands three flaws to be remediated by federal civilian agencies before January 24, while the rest by July 10.
The table of known vulnerabilities
The agency has provided a list of known vulnerabilities in multiple products from various vendors, including Oracle, Hikvision, FatPipe, VMware, Palo Alto Networks, Fortinet, and IBM, among others.
Moreover, the list includes a few vulnerabilities with Medium severity: CVE-2021-22017 (VMware vCenter Server) and CVE-2018-13383 (Fortinet FortiOS).
Conclusion
The recent alert points to the fact that ongoing cyberattacks are actively exploiting old vulnerabilities. The CISA strongly recommends all organizations patch the vulnerabilities listed in the catalog. Moreover, it is recommended to implement a proper patch management program for better protection.