Security News

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022.

The U.S. Cybersecurity and Infrastructure Security Agency has added seven vulnerabilities to its list of bugs actively exploited by hackers, with the new flaws disclosed by Apple. The 'Known Exploited Vulnerabilities Catalog' is a list of vulnerabilities shared by CISA that are known to be actively exploited in cyberattacks and must be patched by Federal Civilian Executive Branch agencies.

The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. Tracked as CVE-2022-30333, the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

It's time to reorganize the US government and create a new agency focused solely on on digital risk management services, according to former CISA director Chris Krebs. Or, if that's too ambitious for Uncle Sam, Krebs proposed to at least pull CISA out of the Department of Homeland Security and make it a sub-cabinet agency that's allowed to operate independently.

The U.S. Cybersecurity and Infrastructure Security Agency has added two more flaws to its catalog of Known Exploited Vulnerabilities, based on evidence of active exploitation. Officially tracked as CVE-2022-34713 and informally referred to as DogWalk, the security flaw in MSDT allows an attacker to place a malicious executable into the Windows Startup folder.

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue in question is CVE-2022-27924, a command injection flaw in the platform that could lead to the execution of arbitrary Memcached commands and theft of sensitive information.

The U.S. Cybersecurity and Infrastructure Security Agency on Friday added the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2022-26138, concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.

CISA has added a critical Confluence vulnerability tracked as CVE-2022-26138 to its list of bugs abused in the wild, a flaw that can provide remote attackers with hardcoded credentials following successful exploitation. Today, CISA added the CVE-2022-26138 to its catalog of Known Exploited Vulnerabilities based on evidence of active exploitation.

A handful of vulnerabilities, some critical, in MiCODUS GPS tracker devices could allow criminals to disrupt fleet operations and spy on routes, or even remotely control or cut off fuel to vehicles, according to CISA. And there's no fixes for these security flaws. "Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features," the US government agency warned in an advisory posted Tuesday.

A Windows 11 vulnerability, part of Microsoft's Patch Tuesday roundup of fixes, is being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency to advise patching of the elevation of privileges flaw by August 2. The recommendation is directed at federal agencies and concerns CVE-2022-22047, a vulnerability that carries a CVSS score of high and exposes Windows Client Server Runtime Subsystem used in Windows 11 and also Windows Server 2022 to attack.