The Cybersecurity and Infrastructure Security Agency (CISA) added two more vulnerabilities to its list of actively exploited bugs, a code injection bug in the Spring Cloud Gateway library and a command injection flaw in the Zyxel firmware for firewalls. -corporate fire and VPN devices.
The Spring Framework vulnerability (CVE-2022-22947) is a maximum-severity weakness that attackers can abuse to obtain remote code execution on unpatched hosts.
This critical bug is currently being exploited by a botnet known as Sysrv to install cryptomining malware on vulnerable Windows and Linux servers.
Hackers are also exploiting a critical Zyxel firmware vulnerability (CVE-2022-30525), which was patched on May 12 and actively exploited from the following day, May 13.
Rapid7 found over 15,000 vulnerable Zyxel products exposed to internet access, while the Shadowserver Foundation spotted at least 20,000 potentially impacted devices.
Since the beginning of the exploitation, the director of cybersecurity of the NSA Rob Joyce also warned the administrators about the current exploitation and encouraged them to update the firmware of their Zyxel firewalls if they are vulnerable.
Federal agencies have three weeks to correct
According to a November Binding Operational Directive (BOD 22-01) issued by CISA to reduce the risk of known exploited bugs on US federal networks, all civilian federal executive branch agencies (FCEBs) must patch their systems against bugs added to the list of known exploited bugs. Vulnerability Catalog (KEV).
The US Cybersecurity Agency has given them three weeks to fix these flaws until June 6 to block ongoing exploit attempts.
Although BOD 22-01 only applies to US FCEB agencies, CISA also strongly urged all US private and public sector organizations to prioritize fixing these actively exploited bugs.
Following the agency’s advice should notably reduce the attack surface that threat actors can exploit to try to break into vulnerable networks.
Last week, CISA also added an actively exploited zero-day Windows LSA spoofing (CVE-2022-26925), now confirmed as a new PetitPotam Windows NTLM Relay attack vector.
However, this Windows security flaw was removed from the KEV catalog after Microsoft’s May 2022 Patch Tuesday updates were discovered to be triggering Active Directory (AD) authentication issues on domain controllers. .
Update: Corrected title incorrectly mentioning a VMware bug.