In a March 3, 2022 report, the agency reported that , “These types of vulnerabilities are a common attack vector for malevolent cyber actors and represent significant risk to the federal organisation.” The US CISA published 95 new security weaknesses to its Known Exploited Vulnerabilities Catalog this week, bringing the total number of actively exploited vulnerabilities to 478.
There are 38 Cisco vulnerabilities, 27 Microsoft vulnerabilities, 16 Adobe vulnerabilities, seven Oracle vulnerabilities and one each for Apache Tomcat, ChakraCore, Exim, Mozilla Firefox, Linux Kernel, Siemens SIMATIC CP and Treck TCP/IP stack.
Five vulnerabilities in Cisco RV routers were uncovered and are being exploited in real-world attacks. The weaknesses, which were discovered early last month, allow arbitrary code to be executed with root capabilities. Three of the vulnerabilities – CVE-2022-20699, CVE-2022-20700, and CVE-2022-20708 have a CVSS rating of 10 out of 10, allowing an attacker to insert malicious instructions, elevate privileges to root and run arbitrary code on susceptible systems.
CVE-2022-20701 (CVSS score: 9.0) and CVE-2022-20703 (CVSS score: 9.3) are similar in that they can “execute arbitrary code, elevate privileges, overcome authentication and authorisation restrictions, fetch and run unsigned software, or cause a denial of service.
Federal agencies in the United States are required to implement the fixes by March 17, 2022, to lessen the significant risk of the vulnerabilities and prevent them from being used as a vector for prospective cyber-attacks.
Cisco, for one, has already stated that it is aware that proof-of-concept exploit code for several of the vulnerabilities is available. The nature of the attacks, as well as the threat actors who may be weaponizing them, is unknown at this time.
Finally the researchers concluded that ,” The news comes only days after Cisco issued updates for serious security flaws in the Expressway Series and Cisco TelePresence (VCS) that might allow a hostile actor to obtain elevated access and execute arbitrary code.”