CISA

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies to patch a Google Chrome zero-day and a critical Redis vulnerability within the next three weeks, both actively exploited in the wild.

According to a Google advisory published on Friday, the Chrome zero-day security flaw (tracked as CVE-2022-1096) is a high severity type confusion weakness in the Chrome V8 JavaScript engine that could allow threat actors to execute arbitrary code on targeted devices.

The Muhstik malware gang has added a dedicated spreader exploit for the Redis Lua sandbox escape vulnerability (tracked as CVE-2022-0543) after a proof-of-concept (PoC) exploit was publicly released on March 10th.

According to a binding operational directive (BOD 22-01) issued in November, Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against these vulnerabilities, with CISA giving them until April 18th to patch.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," the U.S. cybersecurity agency explained.

CISA added 30 more vulnerabilities to its Known Exploited Vulnerabilities Catalog today based on evidence that they are also exploited in the wild.

Although BOD 22-01 only applies to FCEB agencies, CISA also urges private and public sector orgs to prioritize mitigation of these flaws to reduce exposure to ongoing cyberattacks.

Hundreds of security flaws under active exploitation

CISA has added hundreds of vulnerabilities to its catalog of actively exploited bugs this year, ordering federal agencies to patch them as soon as possible to avoid security breaches.

Last Friday, the agency added 66 other bugs exploited in attacks, including a Windows Print Spooler bug (CVE-2022-21999), allowing code execution as SYSTEM.

CISA also added a Mitel TP-240 VoIP interface flaw (CVE-2022-26143) exploited for record-breaking DDoS attack amplification with ratios of roughly 4.3 billion to 1.

Since the start of 2022, the cybersecurity agency has ordered federal civilian agencies to patch actively exploited zero-days in:

Related Articles:

CISA warns of more Palo Alto Networks bugs exploited in attacks

SolarWinds Web Help Desk flaw is now exploited in attacks

CISA says critical Fortinet RCE flaw now exploited in attacks

Critical Ivanti RCE flaw with public exploit now used in attacks

CISA warns of actively exploited Apache HugeGraph-Server bug