The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies to patch a Google Chrome zero-day and a critical Redis vulnerability within the next three weeks, both actively exploited in the wild.
According to a Google advisory published on Friday, the Chrome zero-day security flaw (tracked as CVE-2022-1096) is a high severity type confusion weakness in the Chrome V8 JavaScript engine that could allow threat actors to execute arbitrary code on targeted devices.
The Muhstik malware gang has added a dedicated spreader exploit for the Redis Lua sandbox escape vulnerability (tracked as CVE-2022-0543) after a proof-of-concept (PoC) exploit was publicly released on March 10th.
According to a binding operational directive (BOD 22-01) issued in November, Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against these vulnerabilities, with CISA giving them until April 18th to patch.
"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," the U.S. cybersecurity agency explained.
CISA added 30 more vulnerabilities to its Known Exploited Vulnerabilities Catalog today based on evidence that they are also exploited in the wild.
Although BOD 22-01 only applies to FCEB agencies, CISA also urges private and public sector orgs to prioritize mitigation of these flaws to reduce exposure to ongoing cyberattacks.
Monday Message: 32 #CVEs have been added to @CISAgov's Known Exploited Vulnerabilities Catalog. Check out https://t.co/cP9XK7ccp8 TODAY and remediate the latest #vulnerabilities by April 18, 2022! #VulnerabilityManagement #KEV #CriticalPatch pic.twitter.com/QTe5JmVdxw
— US-CERT (@USCERT_gov) March 28, 2022
Hundreds of security flaws under active exploitation
CISA has added hundreds of vulnerabilities to its catalog of actively exploited bugs this year, ordering federal agencies to patch them as soon as possible to avoid security breaches.
Last Friday, the agency added 66 other bugs exploited in attacks, including a Windows Print Spooler bug (CVE-2022-21999), allowing code execution as SYSTEM.
CISA also added a Mitel TP-240 VoIP interface flaw (CVE-2022-26143) exploited for record-breaking DDoS attack amplification with ratios of roughly 4.3 billion to 1.
Since the start of 2022, the cybersecurity agency has ordered federal civilian agencies to patch actively exploited zero-days in:
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now