The Cybersecurity and Infrastructure Security Agency (CISA) has published 8 new actively exploited vulnerabilities, one of those vulnerabilities recently fixed by Apple.
CISA has added the vulnerabilities to its Known Exploited Vulnerabilities database “based on evidence that threat actors are actively exploiting the vulnerabilities.”
Released just this week, the latest Apple iOS 15.3 and macOS (Monterey 12.2, Big Sur 11.6.3) security updates addressed one of these newly added vulnerabilities: a zero-day code execution CVE-2022-22587 with known exploits in the wild.
“A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” Apple said.
The latest exploited vulnerabilities are listed in the table below (as provided by CISA):
|CVE Number||CVE Title||Required Action Due Date|
|CVE-2022-22587||Apple IOMobileFrameBuffer Memory Corruption Vulnerability||2/11/2022|
|CVE-2021-20038||SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability||2/11/2022|
|CVE-2014-7169||GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability||7/28/2022|
|CVE-2014-6271||GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability||7/28/2022|
|CVE-2020-0787||Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability||7/28/2022|
|CVE-2014-1776||Microsoft Internet Explorer Use-After-Free Vulnerability||7/28/2022|
|CVE-2020-5722||Grandstream Networks UCM6200 Series SQL Injection Vulnerability||7/28/2022|
|CVE-2017-5689||Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability||7/28/2022|
To add, the SonicWall vulnerability CVE-2021-20038 was fixed last December as part of new firmware updates for SMA 100 Series remote access devices.
The Microsoft BITS vulnerability CVE-2020-0787 was also identified as one of the top vulnerabilities exploited in 2020 by cybersecurity experts in the Australia, U.K., and U.S. governments.
Interestingly, many of these vulnerabilities are extremely old, three of them date back to 2014.
- CISA: Take these urgent steps to protect your organization against potential critical cybersecurity threats
- Apple releases iOS 15.3, macOS Monterey 12.2 and other product security updates (with fixes for zero-day vulnerability exploit in wild)
- SonicWall releases new firmware updates for SMA 100 Series remote access devices