Security News > 2022 > January > CISA adds 17 vulnerabilities to list of bugs exploited in attacks

CISA adds 17 vulnerabilities to list of bugs exploited in attacks
2022-01-22 20:36

This week, the Cybersecurity and Infrastructure Security Agency added seventeen actively exploited vulnerabilities to the 'Known Exploited Vulnerabilities Catalog.

The 'Known Exploited Vulnerabilities Catalog' is a list of vulnerabilities that have been seen abused by threat actors in attacks and that are required to be patched by Federal Civilian Executive Branch agencies.

With the addition of these 17 vulnerabilities, the catalog now contains a total of 341 vulnerabilities and includes the date by which agencies must apply security updates to resolve the bug.

Of particular interest are the CVE-2021-32648 and CVE-2021-35247 vulnerabilities, which were disclosed this week to be actively exploited in attacks.

The new 'SolarWinds Serv-U Improper Input Validation' vulnerability tracked as CVE-2021-35247 was discovered by Microsoft to be exploited to propagate Log4j attacks to Windows domain controllers configured as LDAP servers.

While attacks using the Serv-U vulnerability ultimately failed, as Windows domain controllers are not vulnerable to Log4j exploits, CISA requires agencies to fix the vulnerability by February 4th, 2022.


News URL

https://www.bleepingcomputer.com/news/security/cisa-adds-17-vulnerabilities-to-list-of-bugs-exploited-in-attacks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-01-10 CVE-2021-35247 Improper Input Validation vulnerability in Solarwinds Serv-U
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.
network
low complexity
solarwinds CWE-20
5.3
2021-08-26 CVE-2021-32648 Unspecified vulnerability in Octobercms October
octobercms in a CMS platform based on the Laravel PHP Framework.
network
low complexity
octobercms
critical
9.1