CISA alerts federal agencies of ancient bugs still being exploited

CISA alerts federal agencies of ancient bugs still being exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of known exploited vulnerabilities with 15 new security issues that serve as a frequent attack vector against federal enterprises.

The latest additions vary in terms of severity and disclosure date, some of them being rated as medium risks while others are as old as 2013.

In combination with other factors such as a threat actor’s foothold on the network, old and unpatched devices, and/or device exposure on the public internet, the vulnerabilities are a serious security gap and an opportunity for adversaries.

Ancient bugs on the list

CISA compiled the new list after finding evidence that the security issues newly added to the Catalog of Known Exploited Vulnerabilities are used in ongoing attacks.

Of the 15 entries, only four are more recent, from 2021 and another from 2020. The rest are more than two years old, the oldest of them from 2013 – a bug in the WinVerifyTrust function tracked as CVE-2013-3900, which affects Windows versions starting XP SP2 to Server 2012.

Another aged vulnerability is from 2015, a remote code execution in IBM WebSphere Application Server and Server Hy Server Hypervisor Edition, identified as CVE-2015-7450 and rated as critical (severity level 9.8 out of 10).

The table below shows all the vulnerabilities that CISA wants federal agencies to remediate this month to boost defenses against active threats. CISA recommends applying available updates as per vendor instructions.

CVE identifier Description

Remediation due date

NVD severity rating
CVE-2021-22017 VMware vCenter Server Improper Access Control Vulnerability 1/24/2022 5.3 (medium)
CVE-2021-36260 Hikvision Improper Input Validation Vulnerability 1/24/2022 9.8 (critical)
CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability 1/24/2022 8.8 (high)
CVE-2020-6572 Google Chrome prior to 81.0.4044.92 Use-After-Free Vulnerability 7/10/2022 8.8 (high)
CVE-2019-1458 Microsoft Win32K Elevation of Privilege Vulnerability 7/10/2022 7.8 (high)
CVE-2019-7609 Elastic Kibana Remote Code Execution Vulnerability 7/10/2022 10.0 (critical)
CVE-2019-2725 Oracle WebLogic Server, Injection Vulnerability 7/10/2022 9.8 (critical)
CVE-2019-9670 Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference Vulnerability 7/10/2022 9.8 (critical)
CVE-2019-10149 Exim Mail Transfer Agent (MTA) Improper Input Validation Vulnerability 7/10/2022 9.8 (critical)
CVE-2019-1579 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability 7/10/2022 8.1 (high)
CVE-2018-13383 Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability 7/10/2022 6.5 (medium)

CVE-2018-13382

Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability 7/10/2022 7.5 (high)
CVE-2017-1000486 Primetek Primefaces Application Remote Code Execution Vulnerability 7/10/2022 9.8 (critical)
CVE-2015-7450 IBM WebSphere Application Server and Server Hy Server Hypervisor Edition Remote Code Execution Vulnerability 7/10/2022 9.8 (critical)

CVE-2013-3900

Elastic Kibana Remote Code Execution Vulnerability 7/10/2022 N/A

CISA’s catalog of known exploited vulnerabilities is part of the Binding Operational Directive (BOD) 22-01 for reducing security risks and for better vulnerability management.

Under this directive, federal civilian agencies have to identify in their systems the security issues listed in the catalog, and to remediate them.

Although the catalog is aimed mainly at federal civilian agencies, it is a good reference for organizations of all types to reduce their exposure to cyber risks.