Security News > 2023 > December > A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list

A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list
2023-12-06 14:45

A security vulnerability previously added to CISA's Known Exploited Vulnerability catalog, which was recognized by CVE Numbering Authorities, and included in reputable threat reports is now being formally rejected by infosec organizations.

CISA removed CVE-2022-28958 from its KEV on December 1, two days after the National Vulnerability Database revoked its "Vulnerability" status following a months-long review.

VulnCheck CTO Jacob Baines branded it a "Fake vulnerability" in December 2022, two months after CISA added it to the KEV, after looking into the proof of concept code provided by the original reporter.

Baines found the PoC code featured "a glaring error" in that it sent the malicious request to the wrong endpoint, meaning the vulnerability didn't achieve RCE as previously believed.

"The vulnerability should not be listed by MITRE, and it should not be in the CISA Known Exploited Vulnerabilities Catalog. We filed a dispute with MITRE and shared our findings with CISA in October 2022.".

"Incorrectly reported vulnerabilities can lead to unnecessary alarm and resource allocation in the cybersecurity community. They can also undermine trust in the reporting and cataloging systems that are crucial for effective vulnerability management." .


News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/06/dud_cve_removed/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-18 CVE-2022-28958 Rejected reason: DO NOT USE THIS CVE RECORD.
0.0