Privacy Ninja

CISA Alerts Federal Agencies of Ancient Bugs Still Being Exploited

CISA Alerts Federal Agencies of Ancient Bugs Still Being Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of known exploited vulnerabilities with 15 new security issues that serve as a frequent attack vector against federal enterprises.

The latest additions vary in terms of severity and disclosure date, some of them being rated as medium risks while others are as old as 2013.

In combination with other factors such as a threat actor’s foothold on the network, old and unpatched devices, and/or device exposure on the public internet, the vulnerabilities are a serious security gap and an opportunity for adversaries.

Also Read: Top 25 Data Protection Statistics That You Must Be Informed

Ancient bugs on the list

CISA compiled the new list after finding evidence that the security issues newly added to the Catalog of Known Exploited Vulnerabilities are used in ongoing attacks.

Of the 15 entries, only four are more recent, from 2021 and another from 2020. The rest are more than two years old, the oldest of them from 2013 – a bug in the WinVerifyTrust function tracked as CVE-2013-3900, which affects Windows versions starting XP SP2 to Server 2012.

Another aged vulnerability is from 2015, a remote code execution in IBM WebSphere Application Server and Server Hy Server Hypervisor Edition, identified as CVE-2015-7450 and rated as critical (severity level 9.8 out of 10).

The table below shows all the vulnerabilities that CISA wants federal agencies to remediate this month to boost defenses against active threats. CISA recommends applying available updates as per vendor instructions.

Also Read: Completed DPIA Example: 7 Simple Helpful Steps To Create

CVE identifierDescriptionRemediation due dateNVD severity rating
CVE-2021-22017VMware vCenter Server Improper Access Control Vulnerability1/24/20225.3 (medium)
CVE-2021-36260Hikvision Improper Input Validation Vulnerability1/24/20229.8 (critical)
CVE-2021-27860FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability1/24/20228.8 (high)
CVE-2020-6572Google Chrome prior to 81.0.4044.92 Use-After-Free Vulnerability7/10/20228.8 (high)
CVE-2019-1458Microsoft Win32K Elevation of Privilege Vulnerability7/10/20227.8 (high)
CVE-2019-7609Elastic Kibana Remote Code Execution Vulnerability7/10/202210.0 (critical)
CVE-2019-2725Oracle WebLogic Server, Injection Vulnerability7/10/20229.8 (critical)
CVE-2019-9670Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference Vulnerability7/10/20229.8 (critical)
CVE-2019-10149Exim Mail Transfer Agent (MTA) Improper Input Validation Vulnerability7/10/20229.8 (critical)
CVE-2019-1579Palo Alto Networks PAN-OS Remote Code Execution Vulnerability7/10/20228.1 (high)
CVE-2018-13383Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability7/10/20226.5 (medium)
CVE-2018-13382Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability7/10/20227.5 (high)
CVE-2017-1000486Primetek Primefaces Application Remote Code Execution Vulnerability7/10/20229.8 (critical)
CVE-2015-7450IBM WebSphere Application Server and Server Hy Server Hypervisor Edition Remote Code Execution Vulnerability7/10/20229.8 (critical)
CVE-2013-3900Elastic Kibana Remote Code Execution Vulnerability7/10/2022N/A

CISA’s catalog of known exploited vulnerabilities is part of the Binding Operational Directive (BOD) 22-01 for reducing security risks and for better vulnerability management.

Under this directive, federal civilian agencies have to identify in their systems the security issues listed in the catalog, and to remediate them.

Although the catalog is aimed mainly at federal civilian agencies, it is a good reference for organizations of all types to reduce their exposure to cyber risks.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us