CISA adds 8 new actively exploited vulnerabilities (to include latest Apple zero-day)

The Cybersecurity and Infrastructure Security Agency (CISA) has published 8 new actively exploited vulnerabilities, one of those vulnerabilities recently fixed by Apple.

CISA has added the vulnerabilities to its Known Exploited Vulnerabilities database “based on evidence that threat actors are actively exploiting the vulnerabilities.”

Released just this week, the latest Apple iOS 15.3 and macOS (Monterey 12.2, Big Sur 11.6.3) security updates addressed one of these newly added vulnerabilities: a zero-day code execution CVE-2022-22587 with known exploits in the wild.

“A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” Apple said.

The latest exploited vulnerabilities are listed in the table below (as provided by CISA):

CVE NumberCVE TitleRequired Action Due Date
CVE-2022-22587Apple IOMobileFrameBuffer Memory Corruption Vulnerability2/11/2022
CVE-2021-20038SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability2/11/2022
CVE-2014-7169GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability7/28/2022
CVE-2014-6271GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability7/28/2022
CVE-2020-0787Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability7/28/2022
CVE-2014-1776Microsoft Internet Explorer Use-After-Free Vulnerability7/28/2022
CVE-2020-5722Grandstream Networks UCM6200 Series SQL Injection Vulnerability7/28/2022
CVE-2017-5689Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability7/28/2022

To add, the SonicWall vulnerability CVE-2021-20038 was fixed last December as part of new firmware updates for SMA 100 Series remote access devices.

The Microsoft BITS vulnerability CVE-2020-0787 was also identified as one of the top vulnerabilities exploited in 2020 by cybersecurity experts in the Australia, U.K., and U.S. governments.

Interestingly, many of these vulnerabilities are extremely old, three of them date back to 2014.