CISA created a catalog of known exploits and ordered federal agencies to fix them in a timely manner
The U.S. Cybersecurity and Infrastructure Security Agency today established a publicly known list of exploited vulnerabilities and issued a binding operational order ordering U.S. federal agencies to patch the affected systems within a specific time frame and deadline. .The catalog currently lists 306 vulnerabilities, some of which were old vulnerabilities that were discovered in 2010, but are still being exploited externally.
This includes Cisco, Google,Microsoft,AppleVulnerabilities in the products of, Oracle, Adobe, Atlassian, IBM, and many other large and small companies.
For the vulnerability disclosed this year (CVE code is CVE-2021-*****), CISA has ordered all US federal agencies to apply the patch before November 17, 2021.
For earlier vulnerabilities, organizations must patch the system before May 3, 2022.
“These vulnerabilities pose significant risks to agencies. Known exploited vulnerabilities must be actively remedied to protect federal information systems and reduce cyber incidents,” CISA said in a binding operating order today.
In today’s tweet announcing the agency’s new efforts, CISA Director Jen Easterly said that while binding operational instructions can only force U.S. federal agencies to take action, virtually all organizations should take action to fix the loopholes listed. Because the same vulnerabilities are also used to attack private entities.
In a press release, CISA also stated that they plan to add new entries to the database when new vulnerabilities are actively exploited.
To this end, CISA also provides an RSS feed, allowing IT and security teams to keep an eye on new entries in the database.