Security News > 2022 > March > CISA warns orgs to patch actively exploited Chrome, Redis bugs
The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies to patch a Google Chome zero-day and a critical Redis vulnerability actively exploited in the wild within the next three weeks.
The Muhstik malware gang has added a dedicated spreader exploit for the Redis Lua sandbox escape vulnerability after a proof-of-concept exploit was publicly released on March 10th. According to a binding operational directive issued in November, Federal Civilian Executive Branch Agencies agencies must secure their systems against these vulnerabilities, with CISA giving them until April 18th to patch.
CISA added 30 more vulnerabilities to its Known Exploited Vulnerabilities Catalog today based on evidence that they are also exploited in the wild.
Although BOD 22-01 only applies to FCEB agencies, CISA also urges private and public sector orgs to prioritize mitigation of these flaws to reduce exposure to ongoing cyberattacks.
CISA has added hundreds of vulnerabilities to its catalog of actively exploited bugs this year, ordering federal agencies to patch them as soon as possible to avoid security breaches.
Last Friday, the agency added 66 other bugs exploited in attacks, including a Windows Print Spooler bug, allowing code execution as SYSTEM. CISA also added a Mitel TP-240 VoIP interface flaw exploited for record-breaking DDoS attack amplification with ratios of roughly 4.3 billion to 1.