CISA has added 5 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, primarily based on proof of energetic exploitation:
- CVE-2023-21608 Adobe Acrobat and Reader Use-After-Free Vulnerability
- CVE-2023-20109 Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability
- CVE-2023-41763 Microsoft Skype for Enterprise Privilege Escalation Vulnerability
- CVE-2023-36563 Microsoft WordPad Info Disclosure Vulnerability
- CVE-2023-44487 HTTP/2 Speedy Reset Assault Vulnerability
These kinds of vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise. Notice: To view different newly added vulnerabilities within the catalog, click on on the arrow within the “Date Added to Catalog” column—which can type by descending dates.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Identified Exploited Vulnerabilities Catalog as a residing record of identified Frequent Vulnerabilities and Exposures (CVEs) that carry vital threat to the federal enterprise. BOD 22-01 requires Federal Civilian Govt Department (FCEB) companies to remediate recognized vulnerabilities by the due date to guard FCEB networks in opposition to energetic threats. See the BOD 22-01 Fact Sheet for extra data.
Though BOD 22-01 solely applies to FCEB companies, CISA strongly urges all organizations to cut back their publicity to cyberattacks by prioritizing well timed remediation of Catalog vulnerabilities as a part of their vulnerability administration observe. CISA will proceed so as to add vulnerabilities to the catalog that meet the specified criteria.