US Adds 17 Exploited Bugs to "Must Patch" List
A US government’s security agency has added 17 vulnerabilities currently being actively exploited in the wild to a database of bugs that federal agencies must fix.
The Known Exploited Vulnerabilities Catalog was launched in November last year as part of Binding Operational Directive (BOD) 22-01, designed to make civilian federal government agencies more cyber-resilient.
An initial list of just over 300 CVEs, some of which dated as far back as 2010, has been steadily added to since. The latest update includes vulnerabilities that could be exploited for various ends, including denial of service, privilege escalation, authentication bypass and information disclosure.
Attackers are using them to steal information and credentials, execute malware, access networks and more.
Among the most interesting are CVE-2021-32648, which came to light last week and is an improper authentication flaw in the October CMS. It was exploited in a wide-ranging campaign to hijack and deface Ukrainian government websites.
Another is CVE-2021-35247, listed as an improper input validation vulnerability in SolarWinds Serv-U file servers.
Microsoft researchers discovered it being exploited in Log4j attacks in an attempt to compromise Windows domain controllers. Such attacks failed because Windows domain controllers aren’t vulnerable to Log4Shell.
However, it must be