The Certified Information Systems Auditor (CISA) has included 95 new critical flaws in the actively exploited security vulnerabilities. Based on reports, this update is one of the most significant clusters of CVEs added to CISA’s catalogue since the issue of the binding operational directive in late November 2021.
CISA provided firms about a month to patch and fix the newly included 95 critical security vulnerabilities. About eight of these security flaws have high essential scores of the severity of 9.8, which is close to a perfect 10.
Furthermore, most of these needed repairs have a due date on March 24th since they belong to the recently discovered category, while some of the flaws are decade-old ones.
CISA indicated that some of the vulnerabilities included in their catalogue are CVE-2022-20699 (Cisco routers), CVE-2020-1938 (Apache Tomcat), CVE-2019-16928 (Exim), CVE-2018-0151 (Cisco IOS), CVE-2022-20701, CVE-2022-20700, CVE-2022-20708, and CVE-2022-20703.
The other products affected by these CVEs include Oracle, Linux, Adobe, Mozilla, Treck TCP/IP stack, ChakraCore, Siemens, and Microsoft (Office/Windows).
CISA’s list includes bugs in old products that have achieved obsoleteness, such as the Adobe Flash Player. Based on recent advisories, most firms are still utilising outdated software that is very risky since it can be prone to exploitation from hackers.
Few of the Adobe Flash Player flaws mentioned earlier in the catalogue have a critical-severity score of 9.8 out of 10. Oddly enough, these vulnerabilities in the flash players are more than half a decade old. For instance, the flaw tracked by researchers as CVE-2016-1019 and CVE-2016-4117 is nearly a decade old, clearly showing that they need to be repaired.
The most outdated vulnerability is from 20 years ago, a privilege escalation flaw tracked as CVE-2002-0367. This 2002 flaw affects the smss[.]exe debugging subsystem in Windows 2000 and Windows NT.
CISA recommends that all entities repair the newly added issues to their catalogue. They also urge everyone to apply security updates, especially for organisations in the public and private sectors.
Experts also pointed out that firms can mitigate any cyber-attacking incident by doing a security update.