CISA Requires Federal Agencies to Patch New Microsoft Vulnerability 

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has directed all federal agencies to urgently patch a major vulnerability in the Microsoft Windows Server program. 

CISA Director Christopher Krebs, a two-time Wash100 awardee, said that while there have been no reported cases of the vulnerability being exploited, it could still allow remote attackers to enter systems if not fixed, The Hill reported Thursday. 

"Due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System particularly seriously,” Krebs wrote in a blog post.

Krebs gave federal agencies until Friday afternoon to update their Windows servers and until July 24 to establish new technical and management controls and to report to CISA that they have completed the patch.

While the requirement was only for federal agencies, the CISA director encouraged other government agencies and private-sector organizations to also fix the vulnerability immediately. 

“They should identify whether this critical vulnerability exists on their networks and assess their plan to immediately address this significant threat. If you have Windows Servers running DNS, you should patch now. Don’t wait on this one,” Krebs said.

In January, CISA also ordered all agencies to patch critical Microsoft vulnerabilities discovered by the National Security Agency, The Hill reported.

The vulnerabilities included those that could expose systems to breaches or surveillance, such as a code flaw that could allow hackers to enter a system by forging a digital signature.