Breaking

CISA lists 7 critical vulnerabilities exploited by hackers in the wild

The CISA has mentioned seven new vulnerabilities to the list of bugs that are actively exploited by threat actors as per the latest flaws published by Apple, SAP, Google and Microsoft.

The flaws have to be patched by Federal Civilian Executive Branch (FCEB) agencies. With the inclusion of these seven vulnerabilities the updated catalog now has 801 CVEs and the agencies linked to these flaws must have updated the associated patches within Sep 8th, 2022 as per CISA mandate.

Seven vulnerabilities that needs to be patched

CVE Number	Vulnerability Title
CVE-2017-15944	Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
CVE-2022-21971	Microsoft Windows Runtime Remote Code Execution Vulnerability
CVE-2022-26923	Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVE-2022-2856	Google Chrome Intents Insufficient Input Validation Vulnerability
CVE-2022-32893	Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-32894	Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-22536	SAP Multiple Products HTTP Request Smuggling Vulnerability

Seven Vulnerabilities listed by CISA Patch Catalog

Taking look at the seven critical vulnerabilities in detail

The CVE-2022-22536 flaw was disclosed by Onapsis earlier this year with a security rating of 10/10 severity. CISA immediately alerted the IT community to patch the same as this could lead to data theft, access to business sensitive data, ransomware attacks and other malicious attacks. The details of the flaw was discussed in the BlackHat Security Conference, and it was mentioned that attackers are actively exploiting the flaw in the wild.
In addition to that, Apple released the macOS, iOS and iPadOS security updates for the CVE-2022-32894 and CVE-2022-32893 vulnerabilities that these flaws can be manipulated to exploit the device via code executions and kernel privileges. This could provide complete compromise and takeover of devices.
Also, the CVE-2022-2856 vulnerability was identified in Google Chrome 101.0.5112.101 recently. Microsoft handled the CVE-2022-21971 vulnerability in the Feb 2022 Patch Tuesday, however, the details about exploitation weren’t disclosed.
Similarly, CVE-2022-26923 an AD Services Privilege Elevation Vulnerability was fixed in May 2022, and in this case the details about the flaw were disclosed.
The Seventh and final vulnerability is Palo Altos Networks CVE-2017-15944 remote code execution vulnerability that was first disclosed in 2017.

The case with Palo Altos Networks vulnerability is surprising as the flaw was reported five years ago but there are devices that are still vulnerable to this exploit.

Security and IT teams are requested to look into the Known Exploited Vulnerabilities Catalog published by CISA and patch the listed flaws within their environment ASAP.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.

Share the article with your friends

William Marshal

William has been one of the key contributors to 'The Cybersecurity Times' with 9.5 years of experience in the cybersecurity journalism. Apart from writing, he also like hiking, skating and coding.