CISA Adds Five Known Vulnerabilities to Catalog

Summary of the Document

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities Catalog by adding five new vulnerabilities that have been identified as being actively exploited. The new vulnerabilities are:

CVE-2023-21608: Adobe Acrobat and Reader Use-After-Free Vulnerability
CVE-2023-20109: Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability
CVE-2023-41763: Microsoft Skype for Business Privilege Escalation Vulnerability
CVE-2023-36563: Microsoft WordPad Information Disclosure Vulnerability
* CVE-2023-44487: HTTP/2 Rapid Reset Attack Vulnerability

These types of vulnerabilities are considered to be high-risk and frequent attack vectors for malicious cyber actors, posing significant risks to the federal enterprise. In fact, the Known Exploited Vulnerabilities Catalog is a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise, as established by the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.

As per the directive, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by the due date to protect their networks against active threats. Interestingly, while the directive only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.

The agency will continue to add vulnerabilities to the catalog that meet the specified criteria, highlighting the importance of staying up-to-date with the latest vulnerabilities and remediation efforts to ensure the security of organizational networks. Organizations are advised to review the catalog regularly and take necessary steps to remediate identified vulnerabilities to minimize the risk of cyberattacks.