CISA Directs Agencies to Patch 17 New Actively Exploited Cyber Vulnerabilities

The Cybersecurity and Infrastructure Security Agency has added 17 new entries to its list of actively exploited cyber vulnerabilities.

CISA’s Known Exploited Vulnerabilities Catalog includes software flaws that have previously been abused and are required to be patched by federal civilian agencies, Bleeping Computer reported.

The agency published the catalog’s first entries on Nov. 3, 2021, as part of Binding Operational Directive 22-01, which legally compels agencies to protect government information and information systems.

CISA issued the binding operational directive in response to “persistent and increasingly sophisticated malicious cyber campaigns” that threaten the private and public sectors, according to the DHS website.

In 2021, U.S. organizations faced a series of high-profile cyber incidents such as the SolarWinds Orion hack that compromised government networks as well as the ransomware attack on oil pipeline operator Colonial Pipeline.

In a Nov. 3 announcement, the Department of Homeland Security said the directive applies to all federal information software and hardware, including ones managed by government contractors.

The 17 new entries include flaws that allow hackers to steal credentials, access networks, execute commands remotely, embed malware or steal information.

Ten of the vulnerabilities are required to be patched within the first week of February. Agencies have until the second half of July to patch the remaining seven.

According to the Nov. 3 directive, agencies are also required to provide CISA a copy of the changes they make to their vulnerability management policies and procedures.