CISA has included 6 vulnerabilities in its “catalogue of Known Exploited Vulnerabilities” and ordered the federal agencies “to patch” them with the help of vendor’s instructions. 

The CISA, U.S.-based cybersecurity and infrastructure security agency, instructed the federal agencies to fix the newly added security vulnerabilities to the KEV, as per the directive. CISA has also given a deadline of 6th October to the government agencies.  

Exploiting some of the vulnerabilities that have been added to the list, gives a cyber attacker local privilege escalation or admin-level access to the system, whereas the two permits to execution of a malicious code remotely, known as Remote Code Execution. 

These vulnerabilities were found between 2010 and 2022 with a majority of them being identified in 2013 and were engineered as spyware, especially for getting into the social media accounts of android users by using Tizi malware. 

The list of security flaws found in 2013 includes: 

  • CVE-2013-6282: it gives local privilege escalation and is used for rooting android devices. 
  • CVE-2013-2597: it gives local privilege escalation and is used for overflow in Code Aurora audio driver.
  • CVE-2013-2596: it gives local privilege escalation and deals with Linux kernel integer overflow  
  • CVE-2013-2094: it gives local privilege escalation and manages Linux kernel privilege escalation. 

The CISA also added the oldest bug in KEV, it was disclosed in 2010. This was the bug held responsible for the spreading of the Stuxnet worm, which caused a slowdown in the country’s development in the field of nuclear weapons by destroying the machines at the Natanz uranium enrichment plant. 

The bug found in 2010 was named CVE-2010-2568,  it allows remote access to inject malicious code into the system.
The latest security issue added to the vulnerability list was identified a month ago. It was the only security flaw found this year. The cyber attackers exploited it and affected Trend Micro Apex One and Apex one as services.
The recently identified bug was CVE-2022-40139, it was described as an improper validation issue. 

The list of all of the vulnerabilities is available publically on the official website of known exploited vulnerabilities.
The directive from November 2021, “Binding operational directive 22-01”, legally states, that resolving all the vulnerabilities added by CISA and making them Known Exploited Vulnerabilities is the responsibility of all federal civilian agencies to regulate a secure environment.