Security News > 2022 > February > CISA orders federal agencies to patch actively exploited Windows bug
The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch their systems against an actively exploited Windows vulnerability that enables attackers to gain SYSTEM privileges.
Per a binding operational directive issued in November and today's announcement, all Federal Civilian Executive Branch Agencies agencies are now required to patch all systems against this vulnerability, tracked as CVE-2022-21882 within two weeks, until February 18th. While BOD 22-01 only applies to FCEB agencies, CISA strongly urges all private and public sector organizations to reduce their exposure to ongoing cyberattacks by adopting this Directive and prioritizing mitigation of vulnerabilities included in its catalog of actively exploited security flaws.
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below," the cybersecurity agency said today.
"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise."
This vulnerability affects systems running Windows 10 1909 or later, Windows 11, and Windows Server 2019 and later without the January 2022 Patch Tuesday updates.
The bug is also a bypass of another Windows Win32k privilege escalation bug, a zero-day flaw patched in February 2021 and actively exploited in attacks since at least the summer of 2020.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-11 | CVE-2022-21882 | Out-of-bounds Write vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |