The United States’ Cybersecurity and Infrastructure Security Agency (CISA) published 95 new security weaknesses to its Known Exploited Vulnerabilities Catalog this week, bringing the total number of actively exploited vulnerabilities to 478.
In a March 3, 2022 alert, the agency stated, “These types of vulnerabilities are a common attack vector for malevolent cyber actors and represent significant risk to the federal organisation.”
There are 38 Cisco vulnerabilities, 27 Microsoft vulnerabilities, 16 Adobe vulnerabilities, seven Oracle vulnerabilities, and one each for Apache Tomcat, ChakraCore, Exim, Mozilla Firefox, Linux Kernel, Siemens SIMATIC CP, and Treck TCP/IP stack.
Five vulnerabilities in Cisco RV routers were uncovered, according to CISA, and are being exploited in real-world assaults. The weaknesses, which were discovered early last month, allow arbitrary code to be executed with root capabilities.
Three of the vulnerabilities – CVE-2022-20699, CVE-2022-20700, and CVE-2022-20708 – have a CVSS rating of 10 out of 10, allowing an attacker to insert malicious instructions, elevate privileges to root, and run arbitrary code on susceptible systems.
CVE-2022-20701 (CVSS score: 9.0) and CVE-2022-20703 (CVSS score: 9.3) are similar in that they can “execute arbitrary code, elevate privileges, overcome authentication and authorisation restrictions, fetch and run unsigned software, or cause a denial of service,” according to CISA.
Cisco, for one, has already stated that it is “aware that proof-of-concept exploit code for several of the vulnerabilities is available.” The nature of the attacks, as well as the threat actors who may be weaponizing them, is unknown at this time.
Federal agencies in the United States are required to implement the fixes by March 17, 2022, to lessen the significant risk of the vulnerabilities and prevent them from being utilised as a vector for prospective cyber-attacks.
The news comes only days after Cisco patched key security vulnerabilities in the Expressway Series and Cisco TelePresence Video Communication Server (VCS) that could allow a hostile actor to obtain elevated access and execute arbitrary code.