CISA Adds Six Known Exploited Vulnerabilities to Catalog

Summary:

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities Catalog, adding six new vulnerabilities that have been exploited in the wild. The catalog, established by Binding Operational Directive (BOD) 22-01, is a living list of common vulnerabilities and exposures (CVEs) that pose significant risks to the federal enterprise.

The new additions to the catalog are:

1. CVE-2023-38203: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
2. CVE-2023-29300: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
3. CVE-2023-27524: Apache Superset Insecure Default Initialization of Resource Vulnerability
4. CVE-2023-41990: Apple Multiple Products Code Execution Vulnerability
5. CVE-2016-20017: D-Link DSL-2750B Devices Command Injection Vulnerability
6. CVE-2023-23752: Joomla! Improper Access Control Vulnerability

These vulnerabilities are frequently used as attack vectors by malicious cyber actors, and their exploitation poses significant risks to federal agencies and other organizations. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect their networks against active threats.

While BOD 22-01 only applies to FCEB agencies, CISA strongly encourages all organizations to prioritize the timely remediation of vulnerabilities listed in the catalog as part of their vulnerability management practice. This is essential for reducing the risk of cyberattacks and protecting sensitive information.

CISA will continue to update the catalog with new vulnerabilities that meet specified criteria, providing organizations with essential information to stay ahead of emerging threats. By prioritizing vulnerability remediation and staying informed about known exploited vulnerabilities, organizations can significantly reduce their exposure to cyberattacks and ensure the security of their networks and data.