The Cybersecurity and Infrastructure Security Agency (CISA) has added nine additional security flaws to its list of actively exploited bugs, including a VMware privilege escalation flaw and a Google Chrome zero-day that could be used to run remote code.
The VMware vulnerability (CVE-2022-22960) was patched on April 6 and allows attackers to escalate privileges to root vulnerable servers due to incorrect permissions in support scripts.
A Zero Day Chrome was also included in CISA’s Catalog of Known Exploited Vulnerabilities (KEVs), a bug tracked as CVE-2022-1364 and allowing remote code execution due to a V8-like confusing weakness .
All Federal Civilian Executive Branch (FCEB) agencies must patch their systems against these security bugs after being added to CISA’s KEV list pursuant to a November binding operational directive (BOD 22-01).
They were given three weeks to mitigate the flaws until May 6 to ensure that ongoing exploit attempts would be blocked.
CISA added seven more security vulnerabilities to its catalog today, all exploited in ongoing attacks.
|CVE||Vulnerability name||Due date|
|CVE-2022-22960||Multiple VMware Product Privilege Escalation Vulnerability||2022-05-06|
|CVE-2022-1364||Google Chromium V8 Confusion Vulnerability||2022-05-06|
|CVE-2019-3929||Multiple Crestron Product Command Injection Vulnerability||2022-05-06|
|CVE-2019-16057||D-Link DNS-320 Remote Code Execution Vulnerability||2022-05-06|
|CVE-2018-7841||Schneider Electric U.motion Builder SQL Injection||2022-05-06|
|CVE-2016-4523||Trihedral Denial of Service VTScada (formerly VTS)||2022-05-06|
|CVE-2014-0780||InduSoft Web Studio NTWebServer Directory Traversal||2022-05-06|
|CVE-2010-5330||Ubiquiti AirOS Command Injection Vulnerability||2022-05-06|
|CVE-2007-3010||Alcatel OmniPCX Enterprise Remote Code Execution||2022-05-06|
On Thursday, CISA also added the critical VMware remote code execution bug (CVE-2022-22954), now used in attacks to deploy cryptominer payloads.
All US organizations are urged to prioritize these security updates
Although BOD 22-01 only applies to US FCEB agencies, CISA also urges all US private and public sector organizations to give higher priority to fixing these actively exploited bugs.
Taking this advice to heart should significantly reduce the attack surface that threat actors can use to attempt to breach their networks.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise,” says the US Cybersecurity Agency.
Since issuing binding directive BOD 22-01, CISA has added hundreds of flaws to its catalog of actively exploited bugs, ordering US federal agencies to patch them as soon as possible to block security flaws.