Source URL: https://www.cisa.gov/news-events/alerts/2024/09/16/cisa-adds-two-known-exploited-vulnerabilities-catalog
Source: Alerts
Title: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Feedly Summary: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-43461 Microsoft Windows MSHTML Platform Spoofing Vulnerability
CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
AI Summary and Description: Yes
Summary: The text discusses the addition of two new vulnerabilities to CISA’s Known Exploited Vulnerabilities Catalog, emphasizing their significance as attack vectors for cyber threats. The inclusion underlines the importance of timely remediation of these vulnerabilities for both federal and non-federal agencies.
Detailed Description: The content focuses on the recent updates from CISA regarding vulnerabilities that could be exploited by malicious cyber actors. The following points highlight the essence of this announcement:
– **New Vulnerabilities Identified**:
– **CVE-2024-43461**: A spoofing vulnerability within the Microsoft Windows MSHTML platform.
– **CVE-2024-6670**: A SQL injection vulnerability in Progress WhatsUp Gold.
– **CISA’s Known Exploited Vulnerabilities Catalog**:
– This catalog serves as a crucial resource listing CVEs that present significant risks, specifically targeting the federal enterprise.
– The catalog acts as a living document, evolving to include new vulnerabilities as they are identified.
– **Binding Operational Directive (BOD) 22-01**:
– Issued to reduce the significant risk associated with known exploited vulnerabilities.
– Mandates Federal Civilian Executive Branch (FCEB) agencies to address and remediate vulnerabilities by specified deadlines.
– Reinforces the goal of protecting FCEB networks against active and emerging cyber threats.
– **Recommendations for Organizations**:
– While BOD 22-01 applies specifically to federal agencies, CISA recommends that all organizations adopt proactive measures in their vulnerability management practices.
– Timely remediation of cataloged vulnerabilities is emphasized as a crucial strategy to mitigate exposure to cyberattacks.
– **Future Updates**:
– CISA will continue adding vulnerabilities that meet the criteria for the catalog, thereby maintaining its relevance as a critical resource for risk management.
In summary, the text underscores the necessity and urgency for organizations to be vigilant regarding newly identified vulnerabilities and the broader implications for network security. Security and compliance professionals should take this note seriously, as failure to comply with the guidelines set forth by CISA could lead to significant security events.