Security News > 2022 > April > CISA orders agencies to fix actively exploited VMware, Chrome bugs
The Cybersecurity and Infrastructure Security Agency has added nine more security flaws to its list of actively exploited bugs, including a VMware privilege escalation flaw and a Google Chrome zero-day that could be used for remote code execution.
A Chrome zero-day was also included in CISA's Known Exploited Vulnerabilities catalog, a bug tracked as CVE-2022-1364 and allowing remote code execution due to a V8 type confusion weakness.
All Federal Civilian Executive Branch Agencies agencies must patch their systems against these security bugs after being added to CISA's KEV list according to a November binding operational directive.
On Thursday, CISA also added the critical VMware remote code execution bug, now used in attacks to deploy cryptominer payloads.
Even though the BOD 22-01 directive only applies to US FCEB agencies, CISA also strongly urges all US organizations from the private and public sectors to give patching these actively exploited bugs a higher priority.
Since the BOD 22-01 binding directive was issued, CISA has added hundreds of flaws to its catalog of actively exploited bugs, ordering US federal agencies to patch them as soon as possible to block security breaches.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-26 | CVE-2022-1364 | Type Confusion vulnerability in Google Chrome Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |