Last Updated on 05/03/2022 by Nidhi Khandelwal
The United States’ Cybersecurity and Infrastructure Security Agency (CISA) published 95 new security weaknesses to its Known Exploited Vulnerabilities Catalog this week, bringing the total number of actively exploited vulnerabilities to 478.
In a March 3, 2022 alert, the agency stated, “These types of vulnerabilities are a common attack vector for malevolent cyber actors and represent significant risk to the federal organization.”
There are 38 Cisco vulnerabilities, 27 Microsoft vulnerabilities, 16 Adobe vulnerabilities, seven Oracle vulnerabilities, and one each for Apache Tomcat, ChakraCore, Exim, Mozilla Firefox, Linux Kernel, Siemens SIMATIC CP, and Treck TCP/IP stack.
Five vulnerabilities in Cisco RV routers were uncovered, according to CISA, and are being exploited in real-world assaults. The weaknesses, which were discovered early last month, allow arbitrary code to be executed with root capabilities.
Three of the vulnerabilities – CVE-2022-20699, CVE-2022-20700, and CVE-2022-20708 – have a CVSS rating of 10 out of 10, allowing an attacker to insert malicious instructions, elevate privileges to root, and run arbitrary code on susceptible systems.
CVE-2022-20701 (CVSS score: 9.0) and CVE-2022-20703 (CVSS score: 9.3) are similar in that they can “execute arbitrary code, elevate privileges, overcome authentication and authorisation restrictions, fetch and run unsigned software, or cause a denial of service,” according to CISA.
Cisco, for one, has already stated that it is “aware that proof-of-concept exploit code for several of the vulnerabilities is available.” The nature of the attacks, as well as the threat actors who may be weaponizing them, is unknown at this time.
