CISA Orders Federal Agencies to Fix Actively Exploited Windows Bug

Feb. 18 is the deadline to patch a bug that affects all unpatched versions of Windows 10 and requires zero user interaction to exploit.

CISA is putting the thumbscrews on federal agencies to get them to patch an actively exploited Windows vulnerability.

On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it added the vulnerability – tracked as CVE-2022-21882 and with a CVSS criticality rating of 7.0 – to its Known Exploited Vulnerabilities Catalog.

The move means that Federal Civilian Executive Branch (FCEB) agencies have until Feb. 18, 2022 to remediate the vulnerability, which affects all unpatched versions of Windows 10.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” CISA said.

Exploitation Likely

CVE-2022-21882 is a privilege-escalation bug in Windows 10 that doesn’t require much in the way of privileges to exploit: a nasty scenario, particularly given that an exploit requires zero user interaction.

It’s been tagged with an “Exploitation More Likely” exploitability index assessment.

Microsoft addressed the bug as part of its January 2022 Patch Tuesday updates: a sprawling set of patches that dealt with

Read More: