CISA Requires Agencies to Patch Eight Newly Discovered Cybersecurity Vulnerabilities

The Cybersecurity and Infrastructure Security Agency has added eight new entries to its list of known exploited cybersecurity vulnerabilities.

Government agencies are required to patch the software flaws in accordance with Binding Operations Directive 22-01, which legally compels agencies to protect government information and information systems, CISA said.

The agency issued the binding operational directive in response to “persistent and increasingly sophisticated malicious cyber campaigns” that threaten the private and public sectors, according to the Department of Homeland Security website.

CISA published its Known Exploited Vulnerability Catalog on Nov. 3, 2021. According to a previous memo, CISA updates the list if it finds evidence that a CVE-listed vulnerability is actively being exploited and has a clear remediation action.

The list currently has 351 entries. The latest eight include flaws that could allow malicious actors to remotely execute code, perform privilege escalation, launch denial-of-service attacks and execute arbitrary code with system-level privileges.

The vulnerabilities were found in products offered by Microsoft, Intel, Apple, Sonic, the GNU project, Grandsteam and SonicWall.

CISA required agencies to patch two of the vulnerabilities before Feb. 11. Agencies have until July 28 to patch the remaining six.

Agencies are also required to provide CISA a copy of the changes they make to their vulnerability management policies and procedures.

While BOD 22-01 only applies to Federal Civilian Executive Branch agencies, CISA advised other organizations to also take steps to mitigate the threat.