4 November 2021

CISA orders federal agencies to patch almost 300 security bugs exploited in the wild


CISA orders federal agencies to patch almost 300 security bugs exploited in the wild

Cybersecurity and Infrastructure Security Agency (CISA) has released its first binding operational directive (BOD) in 2021 that orders federal agencies to resolve nearly 300 vulnerabilities used by cybercriminals in attacks.

The new directive named "BOD 22-01 Reducing the Significant Risk of Known Exploited Vulnerabilities" applies to both software and hardware in federal information systems with Internet access and without it, including those operated by federal agencies or third parties on behalf of the agency.

"BIG step forward today in protecting Federal Civilian Networks—Binding Operational Directive (BOD) 22-01 establishes timeframes for mitigation of known exploited vulnerabilities and requires improvements in vulnerability management programs. The BOD applies to federal civilian agencies; however, ALL organizations should adopt this Directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations," said CISA Director Jen Easterly.

CISA has also published a list of hundreds of exploitable vulnerabilities that expose government IT systems to the risk of cyberattacks if successfully used by hackers.

Currently, the list includes 200 vulnerabilities identified between 2017 and 2020, and 90 vulnerabilities discovered in 2021. CISA regularly updates the list with newly discovered vulnerabilities if they meet the following conditions:

  • The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.

  • There is reliable evidence that the vulnerability has been actively exploited in the wild.

  • There is a clear remediation action for the vulnerability, such as a vendor-provided update.

"The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise," CISA said.

Back to the list

Latest Posts

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024
Russia’s DoppelGänger campaign manipulates social media to undermine Western support for Ukraine

Russia’s DoppelGänger campaign manipulates social media to undermine Western support for Ukraine

The campaign uses typosquatted legitimate media outlets and independent news sites to publish disinformation articles.
22 May 2024
Hackers target orgs in Ukraine with SmokeLoader malware

Hackers target orgs in Ukraine with SmokeLoader malware

Since May 20, the threat actors have launched at least two distinct malware distribution campaigns.
22 May 2024
Popular Posts
Featured vulnerabilities
Out-of-bounds read in Intel Trace Analyzer and Collector Software
Low Patched | 22 May, 2024
Untrusted search path in Intel PCM Software
Low Patched | 22 May, 2024
Untrusted search path in Intel Computing Improvement Program
Low Patched | 22 May, 2024
Multiple vulnerabilities in Intel Server Products UEFI Firmware
High Patched | 22 May, 2024
Multiple vulnerabilities in IBM MobileFirst Platform Foundation
Medium Patched | 22 May, 2024