The US Cybersecurity and Infrastructure Security Agency (CISA) has added 17 new vulnerabilities to its list of “Known Exploited Vulnerabilities Catalog.”
These vulnerabilities are actively being exploited in the wild, so the agency wants its offices under the Federal Civilian Executive Branch to guard against them by mitigating through patches or workarounds. 10 out of the 17 listed are needed to be secured by the first week of February, said CISA.
CISA’s Known Exploited Vulnerabilities Catalog
Periodically, the Cybersecurity and Infrastructure Security Agency (CISA) of the US publishes an updated ‘Known Exploited Vulnerabilities Catalog,’ where it lists security vulnerabilities that are actively being exploited at that time. And this week, the agency has added 17 new vulnerabilities to the list.
These, as per CISA, will allow threat actors to perform various attacks like remotely executing commands, stealing credentials and senstive information, gaining access to networks, and downloading and executing malware. As these are being abused in the wild, CISA wants its Federal Civilian Executive Branch (FCEB) agencies to act on them immediately.
10 among the total 17 new vulnerabilities added now are of high-risk nature. So CISA said these 10 notable vulnerabilities needed to be patched by the first week of February. In total, the 17 vulnerabilities added to the new Binding Operational Directive (BOD) 22-01 are;
| CVE Number | CVE Title | Required Action Due Date |
| CVE-2021-32648 | October CMS Improper Authentication | 2/1/2022 |
| CVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022 |
| CVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022 |
| CVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022 |
| CVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 |
| CVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 |
| CVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 |
| CVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022 |
| CVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022 |
| CVE-2021-35247 | SolarWinds Serv-U Improper Input Validation Vulnerability | 02/04/2022 |
| CVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022 |
| CVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022 |
| CVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022 |
| CVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022 |
| CVE-2006-1547 | Apache Struts 1 ActionForm Denial of Service Vulnerability | 07/21/2022 |
| CVE-2012-0391 | Apache Struts 2 Improper Input Validation Vulnerability | 07/21/2022 |
| CVE-2018-8453 | Microsoft Windows Win32k Privilege Escalation Vulnerability | 07/21/2022 |
This disclosure aims to reduce the significant risk of known exploited vulnerabilities, says CISA. The updated list now has about 341 vulnerabilities in total.
